Multi-Tenant application using Azure Active Directory

2.4k views Asked by At

We want to develop a multi-tenant web application where the tenants could use one or more of the following identity providers:

  • Microsoft LiveID(Microsoft Account)
  • Windows Azure Active Directory (WAAD)
  • Office 365
  • ADFS

We have evaluated ACS and it works with all the above identity providers. However it is being deprecated in favor of Windows Azure Active Directory. We looked into Azure AD and it does support creating multi-tenant applications which are backed by Azure AD / Office 365 tenants. This helps us to support customers having Azure AD instance or Office 365.

I would like to know whether:

  • Azure AD supports federation scenarios with ADFS and Microsoft Account as well?
  • In case of ADFS, will it also support SSO?
  • Does Azure AD support features like Custom Login screen and Home Realm Discovery (HRD) similar to ACS?
  • Will Azure AD help in supporting tenants who want to use multiple identity providers(e.g. both Microsoft Account and ADFS)?

Also, as per our application requirements, we do not want to store any of tenant/customer user account details in our Azure AD instance. We would like Azure AD to take care of authentication and SSO with identity providers mentioned above without any need of storing tenant/customer info.

1

There are 1 answers

2
vibronet On BEST ANSWER
  1. As of today Azure AD (AAD) can only connect to ADFS when the latter represents the on-premises directory connected to the corresponding AAD tenant. ADFS instances ran by different organizations are not directly supported, though the can be used if they are themselves projected via AAD. Microsoft Accounts are supported as guests - if you add one Microsoft Account to your directory, you'll be able to accept it in your applications.
    1. In case of ADFS: if the constraint above is respected (the ADFS instance is the one connected to AAD) then yes, you'll get SSO
    2. As of today, it does not. You can however customize specific parts of the authentication page (logo, etc)
    3. See #1

In the case of multitenancy, you don't need to store any info in your AAD. When a user from a new AAD tenant consent to the use of your app, a corresponding entry will appear in their own directory. HTH V.