azure ad B2C + multi tenancy

%3CLINGO-SUB%20id%3D%22lingo-sub-2586398%22%20slang%3D%22en-US%22%3Eazure%20ad%20B2C%20%2B%20multi%20tenancy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2586398%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20context%3A%3CBR%20%2F%3EI'm%20looking%20at%20implementing%20a%20Multi-tenant%20SaaS%20application%20using%20a%20SPA%20and%20Spring%20Boot%20backend%2C%20running%20on%20Azure%20App%20Service%20and%20using%20Azure%20AD%20B2C%20for%20identity%20management.%3C%2FP%3E%3CP%3EI've%20been%20going%20through%20the%20documentation%20and%20forum%20questions%20for%20a%20while%20now%2C%20but%20I'm%20starting%20to%20lose%20the%20overview%20a%20bit%20of%20what%20is%20possible%20and%20how%20it%20is%20possible.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EMore%20specifically%2C%20I'm%20stuck%20with%20the%20following%20questions%20to%20decide%20how%20best%20to%20implement%20this%3A%3CBR%20%2F%3E-%20What%20would%20be%20the%20best%20strategy%2C%20using%20these%20Azure%20services%2C%20to%20implement%20multi-tenancy%20on%20the%20application%20level%3F%20A%20separate%20subdomain%20per%20tenant%2C%20or%20would%20it%20be%20possible%20to%20just%20host%20on%20e.g.%20%3CA%20href%3D%22http%3A%2F%2Fapp.mydomain.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eapp.mydomain.com%3C%2FA%3E%20and%20implement%20some%20other%20mechanism%20to%20separate%20the%20tenants%3F%3CBR%20%2F%3E-%20Have%20I%20read%20it%20correctly%3A%20if%20azure%20ad%20b2c%20is%20used%20in%20multi-tenant%20mode%2C%20any%20tenant%20can%20use%20your%20application%3F%20Meaning%2C%20you'll%20need%20to%20filter%20out%2C%20e.g.%20based%20on%20tenant%20ID's%20in%20your%20app%20code%20yourself%2C%20which%20tenants%20are%20allowed%20and%20which%20are%20not%3F%3CBR%20%2F%3E-%20Does%20Azure%20ad%20B2C%20multi-tenancy%20also%20allow%20for%20delegating%20authentication%20to%20a%20customer%20identity%20system%3F%20E.g.%20tenant%20A%20uses%20accounts%20locally%20inside%20azure%20ad%20B2C%2C%20tenant%20B%20delegates%20to%20their%20own%20identity%20management%20system%20using%20SAML%2C%20tenant%20C%20delegates%20to%20their%20own%20identity%20management%20system%20using%20OpenID%20Connect%2C%20...%3F%3CBR%20%2F%3E-%20Do%20I%20have%20some%20option%20to%20inspect%20the%20token%20and%20distinguish%20the%20tenant%20from%20the%20token%20sent%20in%20every%20request%2C%20e.g.%20the%20tenant%20issuer%20or%20any%20other%20token%20parameter%3F%20(taking%20into%20account%20my%20previous%20question%20too%3A%20if%20b2c%20supports%20this%2C%20that%20one%20tenant%20comes%20in%20over%20openid%20connect%2C%20the%20other%20one%20over%20saml%2C%20...)%3CBR%20%2F%3E-%20When%20using%20accounts%20stored%20in%20Azure%20AD%20B2C%20locally%2C%20can%20I%20also%20spread%20these%20out%20over%20multiple%20tenants%20inside%20B2C%3F%20or%20do%20they%20need%20to%20all%20be%20in%20one%20tenant%20and%20do%20I%20need%20to%20separate%20them%20e.g.%20using%20groups%20in%20this%20one%20tenant%3F%3CBR%20%2F%3E-%20Is%20there%20a%20limitation%20on%20number%20of%20tenants%20which%20can%20be%20configured%20in%20Azure%20AD%20B2C%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20clarification%20or%20insight%20you%20can%20provide%20me!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi all,

 

Some context:
I'm looking at implementing a Multi-tenant SaaS application using a SPA and Spring Boot backend, running on Azure App Service and using Azure AD B2C for identity management.

I've been going through the documentation and forum questions for a while now, but I'm starting to lose the overview a bit of what is possible and how it is possible.


More specifically, I'm stuck with the following questions to decide how best to implement this:
- What would be the best strategy, using these Azure services, to implement multi-tenancy on the application level? A separate subdomain per tenant, or would it be possible to just host on e.g. app.mydomain.com and implement some other mechanism to separate the tenants?
- Have I read it correctly: if azure ad b2c is used in multi-tenant mode, any tenant can use your application? Meaning, you'll need to filter out, e.g. based on tenant ID's in your app code yourself, which tenants are allowed and which are not?
- Does Azure ad B2C multi-tenancy also allow for delegating authentication to a customer identity system? E.g. tenant A uses accounts locally inside azure ad B2C, tenant B delegates to their own identity management system using SAML, tenant C delegates to their own identity management system using OpenID Connect, ...?
- Do I have some option to inspect the token and distinguish the tenant from the token sent in every request, e.g. the tenant issuer or any other token parameter? (taking into account my previous question too: if b2c supports this, that one tenant comes in over openid connect, the other one over saml, ...)
- When using accounts stored in Azure AD B2C locally, can I also spread these out over multiple tenants inside B2C? or do they need to all be in one tenant and do I need to separate them e.g. using groups in this one tenant?
- Is there a limitation on number of tenants which can be configured in Azure AD B2C?



Thanks in advance for any clarification or insight you can provide me!

0 Replies