Hi everyone,
My first time posting here, hoping someone can help me with this.
We have a need to perform API calls into Microsoft EntraID, where a user is logged in on our Service Portal and authenticated against the same EntraID using SSO.
For security purposes we want the API call to actually use the logged in user's SSO credentials to perform the action.
Some background, we want (power) users in the portal to be able to add or remove other users in their company to certain groups in EntraID.
Our portal is used by various different customer companies, so we want to prevent the users from somehow modifying accounts in EntraID for a different customer company 🙂
The current proposed solution internally, is to create separate API users within EntraID and limit their access to each specific customer's company users, but as the usage of this feature grows, that would mean creating dozens, possibly hundreds of API users in EntraID, introducing another security and manageability risk. 😞
