Last post Feb 11, 2016 06:22 AM by Jamobor yao - MSFT
Feb 10, 2016 05:57 PM|lax4u|LINK
We have ASP.NET Web application and the application use Azure AD for authentication. We host separate instance of the application for each of our client on separate web servers. So if we have 3 clients, lets say Client1, Client2 and Clien3 then we will
host the application on 3 different servers, each will have its own SQL DB ( application database) and each will have it’sown domain name. eg.
www.client2.com and www.client2.com respectively.
I wanted to know what would be a good practice to configure users in Azure AD in such scenario. I think I have 2 options here. ( and I’m only talking about production setup here)
1> Create single active directory, create group for each client and add users to each group based on client. Then create 3 applications in Azure AD and assign group to respective application.
2> Create 3 active directories, one per client. Add users to the directory. I don’t think I have to create groups here. The web.config file of each instance will have different federation metadata url. This approach will provide high security but I think
maintains will be nightmare if we have more clients. Plus I cannot setup our organization domain for all active directories, but thats not high priority of us.
I would like to know what would be a preferred setup here
Feb 11, 2016 06:22 AM|Jamobor yao - MSFT|LINK
It is more related to your requirement. We need to follow some policy to manage Azure AD. You can manage each directory as a fully independent resource: each directory is a peer, fully-featured, and logically independent of other directories that you manage.
there is no parent-child relationship between directories. This independence between directories includes resource independence, administrative independence, and synchronization independence.
Administrative independence. If a non-administrative user of directory 'Contoso', creates a test directory 'Test' then:
And if you change (add or remove) an administrator role for a user in one directory, the change does not affect any administrator role that user may have in another directory.
Synchronization independence. You can configure each Azure AD independently to get data synchronized from a single instance of either: