Home > other >  How to prevent outside tenants from giving themselves an app's roles in Azure AD?
How to prevent outside tenants from giving themselves an app's roles in Azure AD?

Time:03-09

I am working on an application, and its registration in Azure AD must allow Accounts in any organizational directory to sign-in. We built this with the thought that we could manage the roles for the app within Azure, so we made a few roles. The roles would also be only assignable and used by employees within our organization.

The whole time we thought that these roles can only be assigned within the Azure AD of the organization that owns the app's registration. We now found that when a user from another tenant signs into our app, they can find the app in their Azure's Enterprise Applications and just assign themselves roles. This means that they'd be able to view data that was never meant to be accessible to them. We don't want any other organization to have access to assigning these roles.

So is there any way to disable other tenants' ability to assign themselves a role in their Azure's Enterprise Application? I just want them to be able to log into the app, not give themselves any roles.

Is this even the appropriate way to achieve what we want? If not, what would be the proper way to do this?

CodePudding user response:

At least I am not aware of any mechanism that will prevent admins from other tenants to assign roles to user (it works by design).

If you want to use the application roles only within your tenant, I would suggest that you use the tenantid that is also part of the claims when you doing authorization within your application...

Page link:https//www.codepudding.com/other/328535.html

Prev:Does creating a boto3 session trigger an http request to the AWS API?
Next:Authenticate Azure AD User to multiple backend services
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding