Azure AD, to get access to Azure SQL - azure

I have made a Blazor app, that authenticate users in my AzureAD, that works out of the box and are very smooth. Users are from different customers and are in a ADgroups for every customer, but use the same APP, and have roles from the App-setting in AzureAD.
Problem:
The customers have their own SQL with data and users must only see data from their own Azure-SQL, so I have a long list of SQL databases, one for each customer. When I validate a user, I can only get the AD-group-GUID from tokens, so how do I differentiate the SQL databases, for every customer?
My solution so far is to have a manually updated table with the customerID and AzureAD group GUID and use this to allow access to the users, to their data, but this seems to be a workaround.
Can some of you think of a better solution to this problem, where users must only access one of N* databases, allowed from a AzureAD group?

Related

Azure AD B2C - Get id of the authenticated user

I have a to-do app, where users can log in, I assign certain tickets to them, they can see only the tickets assigned to them, and they can mark them as done (this is a simplified version of a real app with about 300 users).
My current authentication set-up is a simple email/hashed password saved on the database. I have a list of users, in my tickets table I have assigned_to_id where I save user_id.
Now, if I want to migrate to Azure AD B2C (I can't use basic Azure AD Connect because my users are using their personal email, if I understand well I need to use Azure AD B2C), how will I know the id of the user to which I should assign it to? How do I know which tickets I should show to the authenticated user?
I find it a bit confusing when I don't get to manage this on my own db.
Do I need to change the assigned_to_email and compare the assigned email and authenticated email? When there is a new user, do I have to create it on Azure and on my db?

Grant only one one user to specific azure database and restrict all users from that database

I have one azure SQL server PPP with Four Database.
Database are : A , B, C and D.
And there some azure AD groups and members which have access to this PPP Server.
So all AD members having access to all four database.
but my Requirement is to give only permission to user "Ram" and restrict access from all other users for Database D.
So only user ram can access database D. Even Ram can access all other database.
How I can achieve this.
You can Alter the permission of the users or you can go to the particular Azure SQL database and remove the users from there which users are not required. Generally the Login is created in Server and users are created one each databases accordingly. If the users are created in master database then it will be difficult to restrict the permissions.

What are my options if I need to store data on behalf of a user in Microsoft Azure?

I am building a Microsoft Teams application and I need to store sensitive user data (access tokens and some additional stuff) for each user using my application.
My requirement is that this data can only be accessible from the user and no one else - and it needs to potentially serve tens of thousands of users. Furthermore, this data shall be accessible from any Microsoft product (i.e. not bound to MS Teams, but let's say, as long as I get a the JWT, then I would be able to access the data).
What are my options using Azure? Is there some kind of storage I can use OOTB? Or, would I need to select an Azure service for this? If yes, which service would be the best? Can I instantiate such service for ALL the users I need to serve, or would I need a separate instance for each tenant the user is coming from (e.g. its company?).
Thanks a lot for helping me out, I tried to figure this out already and I got some ideas, but I am still confused.
Based on the requirement, you can store the sensitive user data with the following options
Azure keyvault: For Secrets Management, Key Management and Certificate Management.
Azure storage tables: To store and retrieve the access tokens, users data and the conversation.

Coupling application data to b2c user account

Forgive my amateur question, however, I can't seem to find an answer on google/stackoverflow.
I created an app (Xamarin) and I want to store application data in a database, for example an Azure SQL database. I created and integrated a tenant in azure b2c for handling user accounts in the app.
I would like to somehow relate data in my "own" database to user accounts in b2c (is this strange?). All I can find is that you can create custom user attributes but this seems, in my opinion, pretty limited. So I need something unique from b2c that "cannot" change to relate to from my own database.
Seems to me like common use case, what is the preferred approach and is there some unique attribute that I can relate to? (object id maybe??)
Users in an Azure AD B2C tenant are identified by the objectId property of the user object.
This objectId property is immutable.
It is common for tokens, which are issued by policies to applications, to contain the sub and/or oid claim/s, which are mapped from the objectId property.
This enables applications to cross-reference their "own" data for users.

ASP.NET Multi-tenant App on Azure - handling authentication and connection to separate tenant databases

I have a Multi-tenant App (ASP.NET Web Forms) on Azure, a single SQL Azure DB stores membership and each tenant has a separate SQL Azure DB for their data. Initially with 10 tenants, each tenant with around 2,000 users, but this could increase up to 50 tenants.
Am I on the right track when it comes to authentication and connecting each user to the appropriate tenant DB...
1). User authenticates with Membership DB
2). Retrieve the users TenantID (which is stored as part of User Profile)
3). Select DB Connection string from cscfg file based on TenantID
4). Store Connection string in Session (AppFabric cache)
The above approach requires storing a separate connection string per tenant within the Azure Service configuration file, which could be up to 50? Is their a better way of doing this? For instance adding an additional table to the membership DB to store connection strings? What is best practice?
Your views and opinions would be greatly received.
Thanks in advance.
Ben
My team built a multi-tenant sample app that you can take a look at, to get ideas about identity management, database management, etc. It maps tenant to tenant database, and also supports multiple database servers to deal with 150-database-per-server limit.
You can grab the Cloud Ninja project here.
Another option that you could look into would be Sharding with SQL Azure:
http://blogs.msdn.com/b/sqlazure/archive/2010/12/23/10108670.aspx
Then you wouldn't need all the databases and to worry about storing all those connection strings.
I don't think there's any major problem in your solution.Ref your concern about the connection string, maybe you can use some algorithm to calculate the tenant database base from the tenant name/id.
One thing for security, when you store tenant connecting string in session, you might need to encrypt or hash, to ensure the end user will not be able to know the connection string and hack into your system.
I think there might be issues storing membership data into a central database. the data will grow along with the growth number of tenants. The database backup need extra step to include membership data as well. I will rather keep membership data into individual tenant DB. In terms of connection string, you can use table storage or a single central db to keep tenant information and related connection string. It is not recommended to store into cscfg file as this is dynamic based on number of tenants. Just my 2 cents.

Resources