B2B Multitenant Application Tenant onboarding, roles and permission, grouping same tenant users

Hi anz-yogesh,

Managing roles and permissions in a multi-tenant B2B SaaS solution using Azure AD B2C can be challenging as Azure AD B2C doesn't natively support roles and permissions in the same way Azure AD does. However, there are several approaches you can consider to achieve role-based access control and manage authorization in your Azure AD B2C application.

1. Custom Attributes and Claims:

   • In Azure AD B2C, you can define custom attributes to represent roles. Let's assume you create a custom attribute called "roles" of type String in your Azure AD B2C tenant.
   • During the user sign-up or sign-in process, you can programmatically assign the appropriate role value to the "roles" custom attribute.
   • This can be achieved using Azure AD B2C custom policies. Within the custom policy XML file, you can include a technical profile to execute a validation or transformation step that assigns the role value based on your logic.
   • Here's an example of a claims transformation in a custom policy that assigns the "superuser" role to the user:
      

     <ClaimsTransformation Id="AssignSuperUserRole" TransformationMethod="AssertBooleanClaimIsEqualToValue"> <InputClaims> <InputClaim ClaimTypeReferenceId="extension_roles" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters> <InputParameter Id="valueToCompareTo" DataType="boolean">true</InputParameter> <InputParameter Id="outputClaim" DataType="string" Value="superuser" /> </InputParameters> </ClaimsTransformation>
     
     
   • By including this claims transformation in your custom policy, the "superuser" role will be assigned to the user if the specified condition is met.

2. Custom User Flows:

   • Custom user flows allow you to create a tailored user experience that meets your specific requirements.
   • For your tenant onboarding workflow, you can create a custom user flow that includes the necessary steps to assign roles.
   • Let's say you create a custom user flow called "TenantOnboardingFlow". Within this flow, you can add a step to assign the "superuser" role to the user after successful sign-up or sign-in.
   • Here's an example of a user flow definition in Azure AD B2C custom policy XML that includes the role assignment step:
      

     <OrchestrationStep Order="4" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> <Value>isNewUser</Value> <Value>true</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="AssignSuperUserRoleExchange" TechnicalProfileReferenceId="AssignSuperUserRole" /> </ClaimsExchanges> </OrchestrationStep>
   • With this custom user flow, the "superuser" role will be assigned to the user after the specified condition is met, such as when the user is a new user.

3. Azure AD B2C Graph API and Custom Code:

   • Using the Azure AD B2C Graph API, you can programmatically manage roles and permissions.
   • Firstly, you can create a custom attribute called "roles" in Azure AD B2C. This can be achieved by making a request to the Azure AD B2C Graph API to create a custom user attribute.
   • Once the custom attribute is created, you can use the Graph API and custom code (e.g., Python with Microsoft Graph SDK) to assign role values to the "roles" attribute for each user.
   • Here's an example in Python using the Microsoft Graph SDK to assign the "superuser" role to a user:
      

     from azure.identity import ClientSecretCredential from azure.graphrbac import Graph
     
     
     Kindest regards