I recently had a project where I had to link our ws1 access tenant to multiple customer tenants. In its own not noteworthy and easily done with SAML. However, I wanted to set the access level in the customer tenant based on attributes in our own ws1 access tenant. So user 1, Debby would be a console administrator while user 2, Nancy would only have readonly access.

Let’s create a new web application and in the configuration step expand the advanced properties.

Go to custom attribute mapping and add the attributes that you want to pass along to the customer ws1 access. Two things worth mentioning here:

  1. Use a objectGUID as a external Id, this allows for user updates
  2. The ExternalLevel with a static value (full or readonly). This will be used to put the user in the correct group in the customer ws1 access tenant

Now save this web application, make a copy and there change the static text to readonly. Next assign both web applications to the correct user(s) and or groups and you are done with part one.