Manage users in azure active directory

0
votes

I'm wondering a few things about azure ad. I currently have a little software with self users managed, in database, with custom properties, and access token self generation, etc. In order to develop micro services, azure functions, and handle SSO the right way, i would like to migrate my users management to azure active directory, but i'm a bit lost with its features.

Is there a way to handle custom properties for users in azure ad ?

Users can be affected to one or many 'agencies', with some 'roles' in this affectation, such as 'agency supervisor', 'agency user' etc, which aad feature is the best designed for this ? Groups ? Roles ?

Is it a best practice to store custom business-related user properties in an associated database instead of aad ? (Maybe in order to migrate user management later ?)

I'm sorry for these questions but after a lot a research i'm still there.

Maybe some of you have great feedback or documentation for me.

Thank you !

1
azureazure-active-directory

1 Answers

0
votes

There are two products, Azure Active Directory (AAD) and Azure B2C Active Directory. The first one is used within organizations, the latter can be used for multi-tenant situations where you let people from 'outside' your domain register with their own identity provider (other AAD, Oauth, etc).

Simply said, the AAD is for within the organization, Azure B2C AD is for external users.

The B2C AD features are a layer on top of the 'regular' AAD, so every feature in the AAD is available in B2C AAD as well.

Azure B2C was made with extensibility in mind, and you can (programmatically) add extra schema attributes to the users in your B2C Organization (such as companyId or other identifiers you use to differentiate in your product). We use a mixture of security groups for setting user 'roles', and we use custom claims with the extra schema attributes so I know what client a user belongs to (I'm working on a multi-tenant SaaS app).

If you are going to store a lot of information about the user that is LOB-application data, use a separate database to store that, as the (B2C) AAD is not a very good place to store large amount of (nested) data.