We are currently in the process of developing a multi-tenant, B2B SaaS solution using Azure AD B2C for authentication. Our choice to register our app in the B2C tenant was primarily to maintain separation between our home tenant and our consumers (customers). However, our challenge is to manage the authorization of our customer (end users), we intend to incorporate features like role mapping and dynamic groups, commonly found in Azure AD apps, which appear to be absent in Azure B2C.
Our application has a specific need for role-based access control, with defined roles such as 'superuser', 'user', and 'user.readonly'. Our tenant onboarding workflow is as follows: when a user signs up and signs in for the first time from the client frontend, we aim to programmatically assign the 'superuser' role to this user. The superuser should then be able to invite other users to their tenant and assign them either the 'user' or 'user.readonly' roles.
We understand that Azure AD B2C doesn't natively support roles and permissions the same way Azure AD does. We are aware that using custom attributes in Azure AD B2C could serve as a workaround for roles, and these roles can be included as claims in tokens. However, the challenge we face is figuring out how to programmatically assign these custom attributes 'roles' during the user sign-up and sign-in process.
Considering the advanced capabilities of Microsoft Entra with Azure Active Directory, we would greatly appreciate any guidance on an approach or design pattern that would allow us to effectively manage role assignment and role-based authorization in our Azure AD B2C application.
One alternative approach we are considering is using Azure AD B2C's Graph API and Python to create a custom attribute called 'roles', assigning values like 'superuser', 'user', and 'user.readonly' to it. However, our goal is to simplify this process.
We are looking forward to your guidance on this matter and thank you in advance for your assistance.