Enable multitenant applications with Azure Digital Twins

Solutions developers who build on Azure Digital Twins may find that they want to support multiple customers with a single service or solution. In fact, multitenant applications are among the most common Azure Digital Twins configurations.

This document describes how to configure an Azure Digital Twins app to support several Azure Active Directory tenants and customers.

Multitenancy

A multitenant resource is a single provisioned instance that supports multiple customers. Each customer has their own independent data and privileges. Each customer's experience is isolated from each other's so that their "view" of the application is distinct.

To learn more about multitenancy, read Multitenant Applications in Azure.

Problem scenario

In this scenario, consider a developer building an Azure Digital Twins solution (DEVELOPER) and a customer who uses that solution (CUSTOMER):

  • DEVELOPER has an Azure subscription with an Azure Active Directory tenant.
  • DEVELOPER deploys an Azure Digital Twins instance into their Azure subscription. Azure Active Directory automatically created a service principal in DEVELOPER's Azure Active Directory tenant.
  • Users within DEVELOPER's Azure Active Directory tenant can then acquire OAuth 2.0 tokens from the Azure Digital Twins service.
  • DEVELOPER now creates a mobile app that directly integrates with the Azure Digital Twins Management APIs.
  • DEVELOPER allows CUSTOMER the use of the mobile application.
  • CUSTOMER must be authorized to use the Azure Digital Twins Management API within DEVELOPER's application.

The problem:

  • When CUSTOMER logs into DEVELOPER's application, the app can't acquire tokens for CUSTOMER's users to authenticate with the Azure Digital Twins Management APIs.
  • An exception is issued in Azure Active Directory indicating that Azure Digital Twins isn't recognized within CUSTOMER's directory.

Problem solution

To solve the previous problem scenario, the following actions are needed to create an Azure Digital Twins service principal within the CUSTOMER's Azure Active Directory tenant:

  • If CUSTOMER doesn't already have an Azure subscription with an Azure Active Directory tenant:

  • On the Azure portal, CUSTOMER's Azure Active Directory tenant admin takes the following steps:

    1. Open Subscriptions.

    2. Select the subscription that has the Azure Active Directory tenant to be used in DEVELOPER's application.

      Azure Active Directory subscriptions

    3. Select Resource Providers.

    4. Search for Microsoft.IoTSpaces.

    5. Select Register.

      Azure Active Directory resource providers

Next steps