授予支持员工在多租户Azure AD应用程序环境中的访问权限

huangapple go评论71阅读模式
英文:

Granting access to a support employee in a multi-tenant Azure AD application environment

问题

我最近将一个Azure Active Directory应用程序从单租户迁移到多租户。我们的应用现在被不同的公司使用,并且我们使用Microsoft登录与通用终结点。以前,当它是单租户时,一家公司将我们的支持工程师添加为他们的Active Directory中的访客,并授予他们在我们的企业应用程序中的“支持”角色。这意味着他们可以使用他们的工作电子邮件地址登录到生产环境,一切都会运行良好!

然而,在新的多租户设置中,我们的支持工程师无法访问生产环境中的应用程序,因为我们的tenantId不在授权租户的列表中。简单地将我们的tenantId添加到授权租户列表中不会起作用,因为支持工程师想要访问特定公司租户的应用程序,而不是我们自己的租户;我们不使用这个应用程序。

另外,如果多家公司都将我们的支持工程师添加为访客,该应用程序如何确定他们想要登录到哪个租户?一个解决方案可能是要求每家公司为每个支持工程师创建单独的电子邮件地址,然而这似乎不方便且可能不安全。

我将非常感谢任何关于解决这个问题的建议或解决方案!

英文:

I recently migrated an Azure Active Directory application from single-tenant to multi-tenant. Our application is now used by different companies, and we utilize Microsoft login with the common endpoint. Previously, when it was single-tenant, a company added our support engineers as guests to their Active Directory, granting them the "Support" role in our enterprise application. This meant that they could log into production using their work email address and all would work well!

However, in the new multi-tenant setup, our support engineers are unable to access the application in the production environment because our tenantId is not part of the authorized tenants. Simply adding our tenantId to the list of authorized tenants would not work, because the support engineer wants to access the application for that specific company tenant, not our own; we aren't using the application ourselves.

Additionally, if multiple companies have added our support engineer as a guest, how can the application determine which tenant they want to log in to? A solution could be to ask each company to create a seperate email addresses for each support engineer, however this seems inconvenient and potentially insecure.

I would greatly appreciate any advice or solutions to address this issue!

答案1

得分: 1

One possible solution would be to introduce the functionality in your application to switch tenants (like the way you do in Azure Portal).

只需在您的应用程序中引入此功能,使其能够切换租户(就像在Azure门户中一样)。

Just thinking out loud, your support engineers would login into the application. By default they would login into your Azure AD (home tenant). Your application can then conditionally check if the logged in user is the support engineer who may need to switch the tenant.

只是想出声,您的支持工程师将登录该应用程序。默认情况下,他们将登录到您的Azure AD(主租户)。然后,您的应用程序可以有条件地检查已登录的用户是否是可能需要切换租户的支持工程师。

Using Tenants - List API, you can get the list of tenants the user is a member of and then ask the user to select the tenant in which they want to login. Once they switch the tenant, you will need to acquire a new access token for your application in that tenant and proceed to use the application.

使用Tenants - List API,您可以获取用户是成员的租户列表,然后要求用户选择他们要登录的租户。一旦他们切换了租户,您将需要在该租户中为您的应用程序获取一个新的访问令牌,然后继续使用该应用程序。

英文:

One possible solution would be to introduce the functionality in your application to switch tenants (like the way you do in Azure Portal).

Just thinking out loud, your support engineers would login into the application. By default they would login into your Azure AD (home tenant). Your application can then conditionally check if the logged in user is the support engineer who may need to switch the tenant.

Using Tenants - List API, you can get the list of tenants the user is a member of and then ask the user to select the tenant in which they want to login. Once they switch the tenant, you will need to acquire a new access token for your application in that tenant and proceed to use the application.

huangapple
  • 本文由 发表于 2023年7月13日 14:55:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/76676671.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定