Proper setup for multiple enivronments

%3CLINGO-SUB%20id%3D%22lingo-sub-1651475%22%20slang%3D%22en-US%22%3EProper%20setup%20for%20multiple%20enivronments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651475%22%20slang%3D%22en-US%22%3E%3CP%3ENeed%20some%20architectural%20guidance%20here...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20create%20three%20separate%20environments%20-%20dev%2C%20qa%20and%20prod.%26nbsp%3B%20I've%20created%20three%20resource%20groups%20into%20each%20I%20have%20a%20B2C%20tenant%2C%202%20app%20services%20(with%20Identity%20turned%20on)%2C%20a%20SQL%20server%2C%20a%20SQL%20database%20and%20a%20storage%20account.%26nbsp%3B%20Security%20is%20through%20managed%20identities.%26nbsp%3B%20i.e.%20only%20the%20API%20app%20service%20identity%20can%20access%20the%20SQL%20database%20and%20storage%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20seems%20to%20work%20except%20for%20the%20B2C%20tenants.%26nbsp%3B%20It%20seems%20like%20they%20are%20entirely%20separate%20Active%20Directory%20instances%20and%20cannot%20'see'%20the%20app%20service%20managed%20identities%20(I%20want%20to%20add%20the%20API%20app%20service%20identity%20to%20a%20group%20in%20the%20B2C%20tenant).%26nbsp%3B%20All%20B2C%20tenants%20are%20tied%20to%20the%20same%20single%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20figure%20I%20could%20create%20three%20separate%20subscriptions%20and%20have%20everything%20completely%20separate%20but%20that%20seems%20like%20a%20bigger%20headache%20to%20manage.%26nbsp%3B%20Is%20this%20the%20only%20way%20to%20get%20this%20to%20work%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20any%20suggestions!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1652301%22%20slang%3D%22en-US%22%3ERe%3A%20Proper%20setup%20for%20multiple%20enivronments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1652301%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F788255%22%20target%3D%22_blank%22%3E%40random0000%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAAD%20B2C%20tenants%20are%20indeed%20separate%20cloud%20directories.%3C%2FSTRONG%3E%20When%20you%20create%20a%20Managed%20Identity%20in%20your%20subscription%2C%20it%20will%20be%20created%20in%20AAD%20(sometimes%20referred%20to%20as%20AAD%20B2E%20or%20Business-to-Enterprise)%20tenant%2C%20the%20one%20that%20is%20%22linked%22%20to%20your%20subscription%20as%20an%20authoritative%20IdP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20ways%20how%20you%20can%20integrate%20your%20AAD%20tenant%20(the%20one%20holding%20your%20MIs)%20with%20your%20AAD%20B2C%20instances.%20B2C%20refers%20to%20them%20as%20%3CSTRONG%3Eexternal%20identity%20providers%3C%2FSTRONG%3E.%20Please%20check%20this%20article%20if%20it%20helps%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Fidentity-provider-azure-ad-single-tenant-custom%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Fidentity-provider-azure-ad-single-tenant-custom%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Need some architectural guidance here...

 

I want to create three separate environments - dev, qa and prod.  I've created three resource groups into each I have a B2C tenant, 2 app services (with Identity turned on), a SQL server, a SQL database and a storage account.  Security is through managed identities.  i.e. only the API app service identity can access the SQL database and storage accounts.

 

Everything seems to work except for the B2C tenants.  It seems like they are entirely separate Active Directory instances and cannot 'see' the app service managed identities (I want to add the API app service identity to a group in the B2C tenant).  All B2C tenants are tied to the same single subscription.

 

I figure I could create three separate subscriptions and have everything completely separate but that seems like a bigger headache to manage.  Is this the only way to get this to work?

 

Thank you for any suggestions!

1 Reply
Highlighted

Hi @random0000 ,

 

AAD B2C tenants are indeed separate cloud directories. When you create a Managed Identity in your subscription, it will be created in AAD (sometimes referred to as AAD B2E or Business-to-Enterprise) tenant, the one that is "linked" to your subscription as an authoritative IdP.

 

There are ways how you can integrate your AAD tenant (the one holding your MIs) with your AAD B2C instances. B2C refers to them as external identity providers. Please check this article if it helps: https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant...