B2B Multitenant Application Tenant onboarding, roles and permission, grouping same tenant users

Copper Contributor


We are currently in the process of developing a multi-tenant, B2B SaaS solution using Azure AD B2C for authentication. Our choice to register our app in the B2C tenant was primarily to maintain separation between our home tenant and our consumers (customers). However, our challenge is to manage the authorization of our customer (end users), we intend to incorporate features like role mapping and dynamic groups, commonly found in Azure AD apps, which appear to be absent in Azure B2C.
 
Our application has a specific need for role-based access control, with defined roles such as 'superuser', 'user', and 'user.readonly'. Our tenant onboarding workflow is as follows: when a user signs up and signs in for the first time from the client frontend, we aim to programmatically assign the 'superuser' role to this user. The superuser should then be able to invite other users to their tenant and assign them either the 'user' or 'user.readonly' roles.
 
We understand that Azure AD B2C doesn't natively support roles and permissions the same way Azure AD does. We are aware that using custom attributes in Azure AD B2C could serve as a workaround for roles, and these roles can be included as claims in tokens. However, the challenge we face is figuring out how to programmatically assign these custom attributes 'roles' during the user sign-up and sign-in process.
 
Considering the advanced capabilities of Microsoft Entra with Azure Active Directory, we would greatly appreciate any guidance on an approach or design pattern that would allow us to effectively manage role assignment and role-based authorization in our Azure AD B2C application.
 
One alternative approach we are considering is using Azure AD B2C's Graph API and Python to create a custom attribute called 'roles', assigning values like 'superuser', 'user', and 'user.readonly' to it. However, our goal is to simplify this process.
 
We are looking forward to your guidance on this matter and thank you in advance for your assistance.
2 Replies

Hi @anz-yogesh,

Managing roles and permissions in a multi-tenant B2B SaaS solution using Azure AD B2C can be challenging as Azure AD B2C doesn't natively support roles and permissions in the same way Azure AD does. However, there are several approaches you can consider to achieve role-based access control and manage authorization in your Azure AD B2C application.

  1. Custom Attributes and Claims:

    • In Azure AD B2C, you can define custom attributes to represent roles. Let's assume you create a custom attribute called "roles" of type String in your Azure AD B2C tenant.
    • During the user sign-up or sign-in process, you can programmatically assign the appropriate role value to the "roles" custom attribute.
    • This can be achieved using Azure AD B2C custom policies. Within the custom policy XML file, you can include a technical profile to execute a validation or transformation step that assigns the role value based on your logic.
    • Here's an example of a claims transformation in a custom policy that assigns the "superuser" role to the user:
       
      <ClaimsTransformation Id="AssignSuperUserRole" TransformationMethod="AssertBooleanClaimIsEqualToValue"> <InputClaims> <InputClaim ClaimTypeReferenceId="extension_roles" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters> <InputParameter Id="valueToCompareTo" DataType="boolean">true</InputParameter> <InputParameter Id="outputClaim" DataType="string" Value="superuser" /> </InputParameters> </ClaimsTransformation>

    • By including this claims transformation in your custom policy, the "superuser" role will be assigned to the user if the specified condition is met.
  2. Custom User Flows:

    • Custom user flows allow you to create a tailored user experience that meets your specific requirements.
    • For your tenant onboarding workflow, you can create a custom user flow that includes the necessary steps to assign roles.
    • Let's say you create a custom user flow called "TenantOnboardingFlow". Within this flow, you can add a step to assign the "superuser" role to the user after successful sign-up or sign-in.
    • Here's an example of a user flow definition in Azure AD B2C custom policy XML that includes the role assignment step:
       
      <OrchestrationStep Order="4" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> <Value>isNewUser</Value> <Value>true</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="AssignSuperUserRoleExchange" TechnicalProfileReferenceId="AssignSuperUserRole" /> </ClaimsExchanges> </OrchestrationStep>
    • With this custom user flow, the "superuser" role will be assigned to the user after the specified condition is met, such as when the user is a new user.
  3. Azure AD B2C Graph API and Custom Code:

    • Using the Azure AD B2C Graph API, you can programmatically manage roles and permissions.
    • Firstly, you can create a custom attribute called "roles" in Azure AD B2C. This can be achieved by making a request to the Azure AD B2C Graph API to create a custom user attribute.
    • Once the custom attribute is created, you can use the Graph API and custom code (e.g., Python with Microsoft Graph SDK) to assign role values to the "roles" attribute for each user.
    • Here's an example in Python using the Microsoft Graph SDK to assign the "superuser" role to a user:
       
      from azure.identity import ClientSecretCredential from azure.graphrbac import Graph


      Kindest regards
Your best bet is to programmatically manage this, using one of the options in the post shared by @LeonPavesic