What is recommended configuration for Azure AD with multiple instances of asp.net application? RRS feed

  • Question

  • User-209105085 posted

    We have ASP.NET Web application and the application use Azure AD for authentication. We host separate instance of the application for each of our client on separate web servers. So if we have 3 clients, lets say  Client1, Client2 and Clien3 then we will host the application on 3 different servers, each will have its own SQL DB ( application database) and each will have it’sown domain name. eg. www.client1.com , www.client2.com and www.client2.com respectively. 

    I wanted to know what would be a good practice to configure users in Azure AD in such scenario. I think I have 2 options here. ( and I’m only talking about production setup here)

    1>    Create single active directory, create group for each client and add users to each group based on client. Then create 3 applications in Azure AD and assign group to respective application.

    2>    Create 3 active directories, one per client.  Add users to the directory. I don’t think I have to create groups here. The web.config file of each instance will have different federation metadata url. This approach will provide high security but I think maintains will be nightmare if we have more clients. Plus I cannot setup our organization domain for all active directories, but thats not high priority of us.

     I would like to know what would be a preferred setup here


    Wednesday, February 10, 2016 5:57 PM


  • User-646145796 posted


    It is more related to your requirement. We need to follow some  policy to manage Azure AD. You can manage each directory as a fully independent resource: each directory is a peer, fully-featured, and logically independent of other directories that you manage. there is no parent-child relationship between directories. This independence between directories includes resource independence, administrative independence, and synchronization independence.

    • Resource independence. If you create or delete a resource in one directory, it has no impact on any resource in another directory, with the partial exception of external users, described below. If you use a custom domain 'contoso.com' with one directory, it cannot be used with any other directory.
    • Administrative independence. If a non-administrative user of directory 'Contoso', creates a test directory 'Test' then:

      • ◦The directory sync tool, to synchronize data with a single AD forest.
      • ◦The administrators of directory 'Contoso' have no direct administrative privileges to directory 'Test' unless an administrator of 'Test' specifically grants them these privileges. Administrators of 'Contoso' can control access to directory 'Test' by virtue of their control of the user account which created 'Test.'

      And if you change (add or remove) an administrator role for a user in one directory, the change does not affect any administrator role that user may have in another directory.

    • Synchronization independence. You can configure each Azure AD independently to get data synchronized from a single instance of either:

      • The directory sync tool, to synchronize data with a single AD forest
      • The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more on-premises forests, and/or non-AD data sources.

    Best Regards,


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, February 11, 2016 6:22 AM