What are the Azure Authentication and Authorization Best Practices for a complicated situation?

We are trying to develop an Insurance Agent Web Portal using Azure and have some fairly complicated requirements for our Users/Agents:  We want each Agent to only have one login ID/password but they may be associated with multiple agencies and their security levels may vary based on the agency.

For example, the Agent Bob may be authorized to access the Portal for Agency XX and also Agency YY but for Agency XX he should have admin level privileges but for Agency YY he should only have Basic privileges. Once Bob logins in, we would like to present a screen to him so he can choose which Agency he is currently working with and then later he can switch to the other agency.

I realize this is probably not built into either Azure AD or asp.net Identity but any suggestions about which one might be a good starting point would be appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
Groups in Azure AD would be the most appropriate method for handling access to the various portals. For instance, you could have a number of groups with varying access to each agency portal, where Group A has basic privileges to Agency XX, Group B has admin privileges to Agency XX, and so on. Using that method, you would then add users to the groups that align with the access they need for each agency. So Agent Bob would be in Group A that has basic access to Agency XX, Group D that has Admin access on Agency YY, and group K that has limited access to Agency ZZ. This could be simplified by nesting groups for access levels that are extremely common, (Basic access to all agencies, basic access to midwest agencies, etc). This is fairly similar to a regular Active Directory based permission scheme and follows the same standards.
aaronzwProgrammerAuthor Commented:
Thank you very much for your prompt response!

A couple of follow-up questions:

1. Could AD help with determining what is the Current Agency that the logged in User has selected or would that be outside the scope of AD?  In other words, if Billy Bob logs in and has various permissions for 5 different Agencies can we somehow store in AD which Agency he has currently chose?

2. For each Agency, there will be an identical list of permissions - Can_Create_Policies, Can_Access_Accounting, Can_Generate_Quotes, Can_Review_Documents and Can_Add_messages.  And each user can have any combination of these.  Is there a way to use AD groups such that I don't have to make a new Group for every possible permutation of these 5 permissions?
Cliff GaliherCommented:
Thisbreallybisnt an authentication issue. And while the suggestion of groups is interesting, it wouldn't scale well on its own.  This sounds like a  business logic issue and would therefore be reliant on coding appropriately in the app. Azure AD would really only fsmacilitate the single ID/sign on experience.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aaronzwProgrammerAuthor Commented:
Thanks for your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.