Bypassing role based AAD access in Azure?

Question

We have a multi tenant ASP.NET MVC application *.foo.com hosted in Azure. We also have setup approles for this. Here is what I want to achieve:

1. Allow users from external tenants to login as long as they are assigned a role defined by us.
2. Allow all employees of 'foo' to login irrespective of role assigned, as we don't want to assign every single person a role.

Does anyone know if the requirements above can be met using a single aad app? Only other option I can think of is having 2 aad apps where first one will be a multitenant app for external users and role based while second one will be a single tenant app for internal users.

Any help is appreciated!

Thanks

Answer 1

You could use one multi tenant app to achieve your two requirements .

Requirement 1 : After user from a different tenant consent the application ,a representation of the application called a service principal is created in the user’s tenant ,you would find the provisioned application under Enterprise applications . Then admin could assign role to users in external tenant : click on the Users tab. Select any userand assign the user to an Application Role.

Requirement 2 : If you set User assignment required? setting to false , then anyone in current tenant could access the application by default . You could find the setting in Enterprise applications-->Your application -->Properties .