In this post from his blog, Premier Developer consultant Marius Rochon provides a demo application that illustrates how to use Azure Active Directory B2C for authentication in a multi-tenant application.
The 'regular' Azure AD has build-in support for multi-tenant applications. In that case, a user from any Azure AD tenant can sign in to an application registered in another tenant. The application can then use the user's security context to give the user a view of data that is specific to that tenant.
The goal of this article is to explore providing similar support using Azure AD B2C with one major difference: instead of using multiple Azure AD tenants, we will use a single B2C tenant and allow all registered users (using social ids or local user ids) to access the application with a 'tenant' context of their choice. For example, consider a SaaS application for small doctor clinics. The doctors are not employed by any single clinic. They use their own social ids (live, gmail, etc.) to authenticate and may in fact work for several clinics at different times. In this case, each clinic is a tenant. In B2C terms, where an individual has a single social or local id, we will need to allow each doctor to use the application within the context of a single clinic at any given time but allow them to change that context over time, for example to record their work against different clinics at different times.
To support this, AAD B2C needs to support three user scenarios:
- A B2C user wants to create/establish a new tenant (clinic) in the application.
- A B2C user wants to become a registered user of a tenant (doctor joins a clinic).
- A B2C user already registered as per (2) above, wants to use the application within the context of a particular tenant (clinic).
Read more on Marius’ blog here.