Geek Answers Handbook

Azure AD multitenant Permissions

I have an Azure webapp that manages it through Azure AD. I want users to be able to register in my ADRE AD directory to create an account (self-service), so I provided an application for reading and writing to the directory and set up the page using the Graph API to create users.

So far, everything is fine. But the problem that I am facing right now is that I want to enable multi-year leases, so users of external AD directories can log into my application. This works, but I need to log in as an account administrator because it also requests read and write access to my account.

Is there any way to fix this? I just want read and write access to my directory to be able to create user accounts. I do not want to ask permission to relate to their directory, because most likely they will not trust my application.

Thanks.

+7
c # asp.net-mvc-5 azure azure-active-directory
source share
3 answers

I found a quick and dirty solution: add another application in Active Directory. This application should be the only tenant and only have permission to read and write the active directory. We can use these credentials to access the Graph API and other application credentials to authenticate users.

I am waiting for someone to have a better solution for this scenario ...

+2
source share

Sorry for the late reply here. In general, creating an object in a directory (for example, for users) requires administrator permission. It also looks like the web application you are creating is using application-only permissions, which definitely requires administrator consent. In the case of several tenants, the administrator of the negotiating tenant must agree with this type of application - only someone from this role really has the right to grant consent to this level of access.

We hope for help

0
source share

There is no need to use an additional application instead of the authentication role - in any case, there may be some specific side effects for the authenticating user, such as extraneous / incomplete logging, role mismatches, and missing system / internal links.

What do you use for credentials for your application (TenantID, etc.)? AD is very strict in credential management, so I will return to the structure of the application.

At the query level, you can make all tables completely separate for each tenant without common table data and include a multi-user identifier type column so that no one can inject sql if you would necessarily include the multican identifier in an explicit variable.

Then, in the entity model, you can inherit the multican interface for everyone who refers to tenant identifiers (as part of EF).

Thus, the burden is isolated from OAuth or other libraries on top of this to take care of third-party authentication.

0
source share

More articles:


All Articles