My client application ( hosted on a web server which is not on Azure ), needs to access Azure Storage accounts for various Organizations.
Say there are three Organizations - Org1, Org2 and Org3. I would have one instance of my application running on my server for each of these 3 organizations, so basically they are isolated instances. There would be a UI based form for an organization to enter their details ( like subscription id, storage account name etc ).
I was under the impression that I have two options.
Option A - Create an app registration in each Organization. So there would be 3 apps created ( one in each of the Organization's tenant ). Each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. So 3 apps and 3 service principals in total.
Option B - Create an app registration in my Organization ( tenant ). For ease of understanding let us call this SomanshOrg. Can we create a service principal in Org 1, Org2, Org3 where each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. And then from my client application I would be able to access their resources. So 1 app and 4 service principals ( 3 Org + mine ) in total.
The end goal is to only take credentials from the User in the initial UI form. And then we can access their Azure Storages without any more user involvement.
Which of these options would be better? Or is a different option more suitable for my use case?
Which of these options would be better? Or is a different option more suitable for my use case?
Option B is better and I think it should be the most suitable way in this case.
You just need to create a multi-tenant app in the SomanshOrg, then use the respective admin accounts of the Org1, Org2, Org3 to consent the app for the respective tenants.
After the consent, the service principals will locate in the respective tenants, then you just need to add the RBAC roles for them on the storage account scope.
The last step is to access the storage accounts, if you want to do this without any user involvement, just use the client credential flow to get the token to access the storage accounts. The advantage of option B is that we just need one application ID and one client secret(create it in the SomanshOrg), the secret can be used for all the service principals of the app.