I've read how to set up my application to support multiple tenants with each of them having their own Azure AD. But I would also like to support clients without Azure AD. I thought about using Azure AD B2B (inviting them to my Azure AD). But how do I then tell which tenant user belongs to? Token will have my Azure AD as iss. Can I add custom fields to token? Or maybe I should assign them to different groups based on tenant? What is the best way to do it?
Related
I was able to create an App registration for Azure AD B2C inside a regular Azure AD Tenant. I was wondering what the purpose would be for this since it cannot be accessed?
The backstory of this is I was unaware that our Tenant could not have both AD and AD B2C, so I had been trying to use this App registration for my Blazor app login page. This does not work. It does not allow you to add User flows!
I since then created a new Tenant and App and that works now. But this App registration pictured here still remains under this AD Tenant (not B2C), seemingly disconnected and useless. What is going on here? Why am I allowed to create it? This App being stuck out here makes me wonder if Apps are actually independent of how they look in the Azure hierarchy and if that is beneficial in some way -- for instance, being able to register it once for many Tenants to reduce deployment/maintenance.
Azure AD applications and Azure AD B2C applications are separate products. They are independent of each other and cannot coexist in the same tenant, you will not see any Azure AD B2C applications in Azure AD tenants. Even if you click the Azure AD B2C tab to create an App registration in a regular Azure AD tenant, the application is not a b2c application, it is still an AAD application, as you can see, it does not allow you to add user flows because it is still an AAD application.
They are distinguished according to their functions. An Azure AD tenant represents an organization. An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. Even if you click the Azure AD B2C tab in the regular Azure AD tenant to create an application registration, it can only use the functions in the Azure AD tenant. If you To use the features in Azure AD B2C, you can only register the application in the Azure AD B2C tenant.
Azure AD have B2B collaboration for inviting external users.
But what if i wan't to invite an external Azure service that have a MSI.
Is it possible to create an Azure AD group and add a external(another subscription/tenant in Azure) MSI which i can then use to grant access to resources?
Say I wan't to allow a B2B partners Data Factory access to SQL database of ours and I do not wan't to give them a SQL Login.
MSIs are service principals which cannot be invited to other tenants. They are always tenant-specific.
The scenario sounds like you need to give access to something connected to your tenant.
I would suggest creating an App registration (Application),
adding a key, and giving those credentials to the other service.
You can then give the application access to your Azure subscription etc.
Is there a recommended Azure AD strategy for managing internal and our partner users?
We know we can add external users to our Azure AD but we would like a clear separation between the internal and partners users.
I see in Azure you can add another Azure AD so wondering if we can add a new just for external users. But I'm not sure what effect this would have to our current company Azure AD and whether it would have access and/or impact on the features we have in our Azure AD (e.g. O365/Sharepoint/etc).
Or is it recommended just to use groups in Azure AD to separate the internal and external users?
is it recommended just to use groups in Azure AD to separate the
internal and external users?
I think this is the best way to manage your users and partner users.
If you add partner users to another Azure AD, they will not access your default Azure AD resources and app.
Different Azure AD have different resource groups and APP.
I’d like to use scopes in our Azure B2C instance, however all our resources are residing in a different active directory. Can I somehow also select the API instance from another Resource? Or is it possible to upgrade our main AD to an Azure B2C one? Or can we somehow move our subscription and all resources to our Azure B2C AD?
At this point in time, Azure AD B2C does not support multi-tenancy. You can vote and keep track of the feature in the Azure AD B2C UserVoice forum:
How to use Multitenant Applications Based on B2C
Without multitenancy, you will not be able to access resources from other tenants. It is also not possible to upgrade your main AD to an Azure AD B2C tenant, or have subscriptions within your Azure AD B2C Tenant.
Not entirely sure what your scenario is, but the recommended way to do this is by adding Azure AD as an identity provider. This currently can be done using custom policies, but I would encourage waiting until the feature is available through built-in policies.
Do we need Azure Active directory premium to do Role-based or Group based Authorization ?
I ask this question because my Azure portal is not giving me "Users" tab as mentioned in this link.
Group-based access is a Basic/Premium feature as defined here.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD.
You can only assign individual users to apps after you enable User assignment required to access app. But the Users tab should definitely be available though.