AADB2C: How-to on multi-tenant applications based on B2C
As service provider using Azure as the underlying platform, I want to create an application that allows companies to create and manage their tenants and users within my service in order to provide a public service area as well as a privately owned area for the company.
I've read about B2C supporting multi-tenant, but I couldn't find hints within the documentation...
We are currently prioritizing Azure AD as and identity provider into B2C. We will review this request after that work is done. Keep the requests coming! /Jose Rojas
Hi Azure AD Team, The "Azure AD as an identity provider for B2C" functionality was completed a couple of weeks ago (thank you so much).
Would you kindly revisit and review this current request as promised :)
Jamie K commented
There seems to be holes in the some of documentation, i'm hoping someone can help me understand when it comes to allow multi-tenant sign in.
I have a web applications that will require users from (3) companies to sign in.
Each company will have their own tenent, and i would like to expose signin to those (3) companies using the OpenID Connect Idenitity Provider in my BDC Tenant.
I've register my app in my BDC tenant and have local accounts working as expected and i want to expand and implement the AAD sign in for the (3) companies.
I'm using the built-in policies.
NOW FOR MY QUESTIONS:
1. Do the (3) companies tenant have to setup anything to allow me to use them as an IDP?
2. Do i need to use custom polices to accomplish what i'm trying to do?
Some blogs make it seem like it's plug and play. I have been able to get the signin to redirect to my AAD login but when it redirects back i get "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'GUID'." All my reply urls are the exact same... so im thinking this might relate to question 1. Maybe i'm not setting up my source AAD tenant properly.
3. What's the best practice to only allow specific users from loggin in?
Should this be managed from my application, or can i do that from the B2C tenant?
Maybe only have signin policies and exclude sign up policies?
Thanks in advance...
Lars Kemmann commented
So I've looked at this more and I believe the idea as Sven shared it is exactly what is needed. I found a StackOverflow post yesterday that seems to get halfway there -- the multi-tenant app is based on a "normal" AAD tenant, not in the B2C tenant, and the two are linked up via custom policy -- but it's a big step in the right direction.
Now if we can just base the app in the B2C tenant and link those up (ideally with a clean Portal-based UX but at least with a how-to article) then we are all set! :)
We would like to share our web application and API deployment between multiple customers. Each customer has a own unique tenant, applicationId and reply URL etc. Resource sharing between tenants is not required.
Each customer has a unique URL and authentication requests need to be redirected to the correct tenant based on the requested URL within the Web app.
Each request to the API need to be authenticated against the correct tenant based on the token client id.
Here is my question on StackOverflow.
Is this possible with B2C?
Lars Kemmann commented
Can't you just port the AAD B2B invite & redemption logic over? That solves the multitenancy problem so elegantly!
Much needed use case ;-) Can this be solved by creating multiple b2c tenants?
Conor Croke commented
I have a multi-tenant app hosted on one of my Azure AD. I have given access to this app to another tenant that I am admin of. I can create users in the azure portal and they can authenticate no problem and login. What I am trying to do is use B2B to add in a user. This will allow users to sign in using their own email address. When I try login using a user created like this I get a sign in error "User account '*email@example.com' from identity provider 'live.com' does not exist in tenant '*Tenant Hosting the WebApp*' and cannot access the application '*client ID*' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
I do not want to add this user to the tenant that the app is hosted on but rather access it through an enterprise application as it is displayed on azure portal. Is there anyway to work around this error? Or does the current system not allow external users signed up via B2B to access enterprise applications in the tenant it was signed upto.
Thanks to anyone that can clear this up for me.
This is a common use case. Any updates on this?
Ron Hash commented
Any update on this? To build a modern SaaS, we must allow a business to sign up and manage their own users. Huge requirement!
Sven Hubert commented
Yes, we've recently evaluated several licensing and identity service providers and all are lacking multi-tenant or monetization support. There are lots of things one need to implement or integrate for oneself. It seems as if there's currently no complete serviced solution for identity, API management, monitoring and monetization as a whole in the B2B and B2C area. All basic must-have topics for professional SaaS apps today... maybe a gap, that can be closed one day with Azure.
Phil Britton commented
This would be a great HOL or architectural guidance piece. Identity is such a pain point for the SaaS industry, a framework to follow that implements B2C would be very popular.
Chau Nguyen commented
This is also a big addition we are hoping for. SAAS apps need this. any update on when/progress/plans? thx
Nate Boettcher commented
I would like to hear more about this, as well. In my customer facing web app, each of our customers have their own database and I want them to manage the users that have access to their database. I want all of the auth to be done by Azure B2C.