Can you add users from another Azure AD to groups in your own Azure AD?

Question

I am trying out the multi tenent features in Azure Active Directory for my company. We want to offer single sign on and claims based authentication and authorization for users of our web applications. Some customers have their own Azure AD, while others will get users in an Azure AD that we own. We would like to allow all users from other approved Azure tenants to authenticate, but only specific users should be authorized since we charge the customer per user per application. Hopefully, our Azure AD groups can be used for this purpose. I have succesfully created a test app that allows users from both my Azure AD and from another tenent to log in to our application.

My question is this: Is it possible to add users from another Azure AD (that we do not control) to groups in our Azure AD, so that we can use the group membership of users to allow access to different applications that we build? Is this possible or have I missunderstood something fundamental? :) Should we abandon Azure AD groups and use our own sepperate database to store claims that can be assigned to users from all tenents during the ASP security pipeline instead?

The application I tested got read access to the other Azure AD and read/write access to our Azure AD. I was unable to assign users (from another Azure AD) to our groups through the Azure managment portal ("No user exists with this user name in a directory to which you have access.") and I have thus far been unable to do it with the graph api from the application. Adding users that I create in our Azure AD to our groups works fine.

Answer 1

Fundementally, you will need a database to keep your user mapping.

As we're here, consider Stackoverflow - you can create an identity with stackechange, but you can also use your existing identity from google, yhaoo or facebook. This means that SO needs to keep a record of your identity in some database, and next to it what you're allowed and not allowed to do.

In many respects though, you could consider WaaD simply as a database for that matter and automatically create the user record, but keep in mind that the user will not be authenticated to your AD. you will simply be using the graph API to query based on a key and this may be done more efficiently on a dedicated database or, arguably, something like Azure table storage.

Given that you will need to query the WaaD graph API to get group membership anyway (it is not provided with the initial claim-set) you could query table storage instead.

Answer 2

for your specific case of "No user exists with this user name in a directory to which you have access", YES, this can be met and you can add the user of one Azure AD(abc.onmicrosoft.com) to another(def.onmicrosoft.com).

Necessary Condition: 1. you have to be at least a global-admin-user & co-admin in the Azure AD in which you have to add the user from another Azure AD. 2. you should be explicitly added in the other Azure AD, whose user you are registering in the current Azure AD, with at least a "User" privilege.

Boom!! User added with "Sourced from: Another Azure AD" tag.

Answer 3

You can try B2B invitation from your Azure AD to the members of different domain. As you said you have to allow people from multiple tenants, create a group and add the users via B2B invitation and map that group to your app. This is really handy because that will work for a single go as well as being easy to maintain.