0

We want to build a Sass application. We separated individual servers/instances and DB for every customer. Our sass model:

enter image description here

As part of our app, we want to use Azure Ad (Multitenant) for Identity management. We have a few cases:

  • Our few customers don't have organizational email then how can we manage them in Azure ad (they have maybe Gmail)
  • We decided to set application-level roles/permission for every API endpoint, for this scenario how to manage those roles/permission in the azure ad, Who is responsible for assigning those roles to every client's users after onboarding?
  • For every company, we have a users limit then how can we restrict a company's users (like only 5 users from a company able to use our application)
  • We have a special case like module-based permission for our customers. How can we manage this?

When an organization/company starts to use our application, If we want to give them an admin panel where they are able to manage their permission-related stuff, like adding or removing roles to their users, is it possible? (all roles/permissions are fixed from our side, they only assigned those roles to their users)

Sabahat Hussain Qureshi
  • 1,176
  • 3
  • 14
Farhan Ahmed
  • 1
  • 1

1 Answers1

0

++Our few customers don't have organizational email then how can we manage them in Azure ad

->You can invite them into the tenant, then they can use their gmail account to sign in the tenant.

++set application-level roles/permission for every API endpoint ... how to manage... responsible for assigning ..

->I can't understand it but I think it's based on your requirement, user who has admin role may take the responsibility.

++have a users limit then how can we restrict a company's users...

->follow this document to set who can use the azure ad application you registered for the authentication to sign in the application.

++module-based permission for our customers

-> role management?

++adding or removing roles to their users, is it possible

-> if there's no admin panel for each company, then you may follow this answer to set role for users and validate if the access token contained correct role so that this user can access the page.

Let's assume you had an application which has a frontend app as the client and an web api project as the server. Then in the front app, you need to integrate msal lib to let users sign in with their user@xx.onmicrosoft.com account or gmail account. Then the frontend app need to generate access token and call api via it. The token should contain enough information so that the api can validate if the token had enough priority to get the data. And in the frontend app, you also need to control the page direct via the access token or id token.

Then here's the official sample document.

In the end, azure ad provides user management and sign in feature. It also provides api management feature. If you have any other questions, I recommend you creating a new question with more specific requirement.

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29