I'm developing multitenant app in ASP.NET Core using Azure AD as authentication. I want to allow access to my app only for specific tenants (due to this I added valid issuers list to my app authorization).
Problem is I want to specify custom roles for each tenant. Why? Base scenario looks like this.
I have customer organization (Tenant) A with 3 departments named AB, AC and AD.
Meanwhile I have customer organization (Tenant) B with 5 departments BA, BB, BC, BD, BE.
I want to be able to grant users permissions exactly for their departments. For example grant user from tenant A access only to department AB (or all of them) and in perfect scenario it will be done by admin of company A in their Azure AD.
I was thinking of App roles from Azure AD but it seemed to me a very undesirable to expose in manifest all departments of all my customers.
Please refer this official doc first:
Add app roles to your application and receive them in the token
The permissions function of Azure AD is not yet specific to the departmental permissions of the tenant.
This official document tells me that when we are in App Registration, we can add an App Role to other tenants (Test), and then our application can be accessed by the Test tenant.
However, the specific permissions for each department under each tenant should be controlled at the code level.