Multi-Tenancy Model

DZDesk automatically assigns users to the correct organization (tenant) based on their identity provider settings. Both Azure Entra ID and Google Workspace follow a domain-based isolation model to ensure secure and predictable tenant boundaries.

Login Page

The DZDesk login page provides two authentication options:

• Sign in with Microsoft Entra ID — for Azure AD / Entra ID users
• Sign in with Google Workspace — for Google Workspace users only

A subtitle reminds users: "Use your organization account to sign in."

This clearly communicates that DZDesk is for enterprise use only and personal accounts are not supported.

Azure Entra ID (Microsoft SSO)

For Entra-based authentication, DZDesk uses the Azure Tenant ID (tid claim) to uniquely identify each organization.

How it works:

1. User clicks "Sign in with Microsoft" on the login page
2. DZDesk extracts the tid (Tenant ID) from the Azure token
3. System looks up or creates a company with matching azure_tenant_id
4. User is automatically assigned to that company

Key behaviors:

• Users signing in through an Azure enterprise application are automatically mapped to the DZDesk organization that matches their Entra Tenant ID
• The first user from a new tenant automatically becomes Admin (to configure groups)
• All subsequent users from the same Entra tenant are automatically placed into the same DZDesk organization with role from group membership
• Cross-tenant logins are blocked unless explicitly invited by an admin

Stored identifiers:

• entra_id (oid): Azure Object ID - unique per user
• tenant_id (tid): Azure Tenant ID - unique per organization

This guarantees strict isolation and aligns with Microsoft's enterprise identity model.

Google Workspace (Google SSO)

For Google SSO, DZDesk uses the hosted domain (hd claim) from Google Workspace:

How it works:

1. User clicks "Sign in with Google" on the login page
2. DZDesk extracts the hd (hosted domain) from Google's OAuth response
3. System looks up or creates a company with matching google_workspace_domain
4. User is automatically assigned to that company

Key behaviors:

• Users signing in with a work email (e.g. user@acme.com) are automatically placed into the Acme organization
• The first user from a new corporate domain automatically becomes Admin
• All subsequent users from the same Google Workspace domain join the same organization
• DZDesk can link existing Azure-based companies to Google Workspace domains (hybrid identity support)
• Personal Gmail accounts are blocked — users with @gmail.com cannot sign in at all. Only Google Workspace accounts are permitted
• Other public email providers (e.g. @hotmail.com, @outlook.com) are similarly blocked from Google login

Stored identifiers:

• google_id (sub): Google's unique user ID
• google_workspace_domain: The company's Google Workspace domain

This prevents unauthorized organization creation and keeps the tenant model clean and predictable.

Company Auto-Creation

When a user signs in for the first time from a new tenant/domain:

Field	Value
name	Generated from domain (e.g., acme.com → Acme)
subdomain	Unique subdomain based on domain name
subscription_plan	trial
subscription_status	active
subscription_end_date	14 days from creation
max_users	Unlimited during trial

Hybrid Identity Support

Organizations using both Azure and Google can link both identity providers to the same DZDesk company:

Company: Acme Corp
├── azure_tenant_id: "abc123-..."
└── google_workspace_domain: "acme.com"

Users can sign in with either provider and access the same organization.

Why This Model?

Using Tenant ID for Entra ID and Workspace domain for Google provides:

Benefit	Description
Deterministic multi-tenancy	Clear, predictable tenant assignment
Strong isolation	Enterprise customers are fully separated
Consistent onboarding	Same experience across identity providers
Protection	Prevents accidental or risky organization creation
Seamless auto-join	Internal users automatically join their organization
Hybrid support	Same company can use Azure + Google together