Sebastian Zolg
Reputation: 1961
How to allow multi-tenant Azure Function with EasyAuth for selected tenants only?
Given a multi-tenant configured app (azure function) with EasyAuth enabled for Azure Active Directory only, how can I limit access to only selected tenants?
The consequence of using multi-tenant app with EasyAuth was removing the Issuer URL completely which means that everyone could access the app. I want to limit it to a few known tenants.
Can we somehow configure the Issuer URL to carry an array of tenant IDs?
Upvotes: 0
Views: 500
Answers (1)
Chris Gillum
Reputation: 15042
There isn't really a built-in way to do this as far as I know. Assuming that is the case, you'll want to implement it yourself in your application code. For example:
- Store a list of selected tenants in your application (e.g. in a database)
- For each request, look at the
iss(issuer) claim and compare it against your list of selected tenants - If the
issclaim doesn't match a selected tenant, redirect them to your custom registration page (or return 403 if you don't have one).
Upvotes: 1
Related Questions
- Invalid Audience when protecting Azure Function with App Service Authentication (EasyAuth) and a Custom OpenID Provider
- Secure Azure Functions App in another tenant
- How to restrict an Azure function app's access to only AD B2C API connector?
- EasyAuth with a SPA and AzureFunction on different hosts
- How do you configure Azure Function authentication by code?
- How to enforce AAD Application Role authorization with Azure Functions?
- Azure functions: Multiple functions with different authentication
- Restrict Azure Active Directory app access to specific tenants
- Limiting access to some Azure Functions to members of an AD group
- How to restrict tenants in multitenant application with Azure AD authentication