Application architecture - multiple b2c subscription - one global application

Question

What is please best practice for creating MVC CORE application with multiple Azure AD B2C subscriptions? Is this please possible? Each country has specific requirements for data residency of users… I exactly need: b2c subscription in Germany for Germans user... b2c subscription in Canada for Canadian users etc... Each user will be authenticated with national b2c service and will use one global application.. Exist please some elegant solution for this kind of scenario? Thank you

Answer 1

You may determine the user's location directly in your application using the method of your choice, be it a user preference setting in the app, IP geomapping service, browser location or some other magic. Then in your app you can simply use the endpoint of one B2C tenant for German users and the endpoint of the another B2C tenant if the user is in Canada.

A similar approach should probably be used for the user data, as noted by @wlami. His approach is infrastructure-centric, mine is app-centric and gives you control on the user location detection mechanism.

Answer 2

I would say your requirement "Germany for German users, Canada for Canadian users" is not possible.

If you take a look at the local availability of AAD B2C you will find that it's a "non-regional" service: https://azure.microsoft.com/en-us/global-infrastructure/services/?products=active-directory-b2c

The "country or region" option that you can select when you create a new B2C tenant is not equal to data residency. There is a "mapping" between the option which you choose in the drop-down and the data residency. You can check this mapping here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-tenant-type

Right now, there are two possible data residencies: the USA and Europe. Considering this limitation, you should evaluate whether you still want to have multiple B2C tenants.

In case you decide that you still need "local" data residency (hello GDPR) you should be aware that besides the login information you probably also have application data saved in databases. One approach for this scenario is to duplicate your deployment (App Gateway / Web App / Databases / Caches) into two regions (one for the US data residency and one for the EU residency ). You can use Azure Traffic Manager as a DNS load balancer and route your customers depending on their location to the desired region. You should check out https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/multi-region-sql-server. Then you can, for example, deploy your MVC CORE application into two different Azure Web Applications. One of them using your US AAD B2C tenant and the other one the EU AAD B2C tenant.