Azure Active Directory coss tenant users and groups asp.net Authorization

Dervishi, Erald 66 Reputation points
2021-07-12T18:45:12.077+00:00

Hello .NET Developers

I have a project scenario that involves user Authorization permissions, In other words, I have build a FAQ site web application .Net core for the company I work, and we are splitting the permissions into two groups: users and Admins. Now the issue I am having is that our company has two subscriptions (A&B), with two different tenants, and tenant A that I am told to publish this application does not have all the users in the Azure Active Directory and groups we need to access this application but tenant B does, is there any way I can do cross tenant and bind the other tenant B to my application but still publish in subscription A with resource group and app service from subscription A.

I would appreciate any help.
Thank you in advance

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,157 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,235 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-07-14T17:39:10.763+00:00

    Hi @Dervishi, Erald · Thank you for reaching out.

    Yes, this can be done by registering a Multi-tenant application in tenant A. In case of Multi-tenant applications, you get redirected to https://login.microsoftonline.com/organizations or https://login.microsoftonline.com/common instead of https://login.microsoftonline.com/tenant_name_or_id, which allows tenant discovery based on the user's UPN suffix. After redirection to the user's tenant, a consent prompt will appear, upon acceptance of the consent prompt, a service principal corresponding to the application will be created in user's tenant, after which tenant B can issue a token for the application in tenant A.

    You can validate issuer to prevent users of tenant C from accessing the application. Below is an example of code for ValidateSpecificIssuers: 

        private string ValidateSpecificIssuers(string issuer, SecurityToken securityToken,  
                                          TokenValidationParameters validationParameters)  
    {  
        var validIssuers = GetAcceptedTenantIds()  
                             .Select(tid => $"https://login.microsoftonline.com/{tid}/v2.0");  
        if (validIssuers.Contains(issuer))  
        {  
            return issuer;  
        }  
        else  
        {  
            throw new SecurityTokenInvalidIssuerException("The sign-in user's account does not belong to one of the tenants that this Web App accepts users from.");  
        }  
    }  
  
    private string[] GetAcceptedTenantIds()  
    {  
        // If you are an ISV who wants to make the Web app available only to certain customers who  
        // are paying for the service, you might want to fetch this list of accepted tenant ids from  
        // a database.  
        // Here for simplicity we just return a hard-coded list of TenantIds.  
        return new[]  
        {  
            "<GUID1>",  
            "<GUID2>"  
        };  
    }

    Sample for your reference: An ASP.NET Core Web app signing-in users in any org with the Microsoft identity platform

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest