Base solution for your next web application
Open Closed

Microsoft Authentication - Constraining Azure AD Tenant #11349


User avatar
0
hra created

We have enabled "Microsoft" authentication, in our multi-tenant AspNetZero application to allow our customers to create accounts, and sign-in using their Microsoft organisational account.

From what I can tell, the default implementation will allow anyone from any Microsoft organisational to sign up.

Our customers will want to be able to "restrict" sign-ups to users from specific organisations.

For example, our customer "Acme" has also purchased business services from Microsoft under the organisation "Acme". They want to allow their users to sign up to our site, under the "Acme" tenant, using ONLY their "Acme" Microsoft credential.

  1. Is there a mechanism in ANZ to allow for this today?
  2. If not, is there a reason? Perhaps what I am wanting to do is achieve through other means?
  3. If I need to roll this myself in ANZ - what's the high-level guidance?

Reading this: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens, apparently the "iss" component of the claims, identifies "the Azure AD tenant for which the user was authenticated". It also says "Your app should use the GUID portion of the claim to restrict the set of tenants that can sign in to the app, if applicable." - so I guess that's what we should be restricting.

Thanks!


3 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Could you create an issue on https://github.com/aspnetzero/aspnet-zero-core/issues ? We can add this as a new feature. But, it is not supported at the moment.

  • User Avatar
    0
    hra created

    Thanks @ismcagdas, I have done so here: https://github.com/aspnetzero/aspnet-zero-core/issues/4644

  • User Avatar
    0
    ismcagdas created
    Support Team

    Thanks a lot @hra