Azure authentication and possibly multitenant design


  • Hi

    We are planning to create a new SaaS solution hosted in Azure. The new SaaS solution is “based” on an existing Client Server solution we have but is to be totally redesigned and rewritten. The status is that we are doing a pilot project which goal is to 1) implement one rather simple part of the old application 2) try and select techniques for development (front- and backend) 3) get familiar with developing and running SaaS solutions in Azure 4) design and develop the authorization mechanism needed for this kind of setup and finally 5) test, design and decide how to best use Azure Tenant and possibly Multi Tenant (B2B, B2C) concepts for authentication.

    The design is most likely going to be a web application frontend and web APIs as backend. Azure Service Bus for inter API communication (in many cases) and SQL Database for datastorage.

    The “basic”, but a bit complicating, organizational and user structure we need to support is as follows. We (our company) develops and hosts (in Azure) the solution. We will have users that need to be authenticated and need to be able to “use” the application. We then also have other companies as customers and those customers have users that need to be authenticated to use the application. Our customers have in turn also customers having users that need to be authenticated and those customers have their customers that in some cases are companies having users and in some cases are private persons. In short, organizational and user hierarchy (tree) that is perhaps 5 level deep. (see fig)

    Other important requirements 1) Each organization on every level should be able to “administrate” its own users (probably through our interface without using Azure portal), 2) possible on all levels for users to “sign up” (create an account) by them self without intervention from administrator (rule/domain/e-mail controlled). 3) Some, but not many, of our customers might have, or soon have, their own Azure tenants, perhaps we don’t need to “support” this directly but we might need to consider if this complicates our solution.


    What we are having problem with is how best to “organize” the users on all levels to support the above requirements and to take as much advance of Azure Tenant, Multi Tenant, B2B and B2C concepts for authentication. What is possible to do and what is not, what advantages this or that solution has and what limitations and pitfalls different designs have.

    All kind of advice and contact for discussing this would be appreciated.

    Best regardsBjörn Erlendsson


    • Moved by Md Shihab Wednesday, April 19, 2017 6:28 PM Suited to Azure AD
    Wednesday, April 19, 2017 6:30 AM

All replies