Multi-Tenant Authentication Using Azure AD In ASP.NET

In my previous article, I have demonstrated the use of Single Tenant Authentication using Azure AD.

Let’s refresh certain things related to Azure AD, please refer to,

In this article we will see how to implement Multi-tenant authentication using Azure AD.

What is Multi-Tenant Authentication

  • Multi-Tenant Authentication refers to accessing the application in one directory by users of the same directory as well as users in another directory.

Let’s understand in more detail with help of below diagram:

diagram
As you can see in the above diagram we have 2 Azure AD’s (tenants): Directory 1 and Directory 2.Under Directory 1 we have 1 user (TestUser1) and 1 application (TestApplication1).

Under Directory 2 we have 1 user (TestUser2).

Now since TestUser1 being part of Directory1 it is but obvious that he can access the application (TestApplication 1).

But if TestUser2 under Directory2 wants to access the application TestApplication1, here comes into picture the concept of multi tenancy.

For that we need to set the application (Here TestApplication 1) is multi-tenant or not while registering the application in Azure AD.

application

Now as shown in the above image once you set the application is multi-tenant to ‘YES’ then the user from Directory 2 (TestUser2) can be able to access the application (TestApplication 1) of Directory 1 provide you register the TestUser2 under Directory1 which we will see in subsequent steps.

Pre-Requisites

You need to have the following software installed before proceeding.
  1. Visual Studio 2013

    If you don't have Visual Studio 2013 installed on your computer, you can download it from this 
    URL.

  2. Windows Azure Subscription

    you can also subscribe for a free trial of Windows Azure from URL.

  3. Windows Azure SDK 2.8.2

    To download latest sdk you can download it from this link.

For configuring Azure AD please refer my previous article:
Once the Tenants are created you can add user in the tenants refer, 
for creating users in Azure Active Directory. I have created 2 users in AD1 and AD2 respectively.

users

users

You also need to add one application in one of the directories you have configured.

For adding a new application in azure active directory refer previous article,

As shown in the below image I have added one application ‘samplemultitennatapp’ in AD1 tenant.

users

One additional thing you need to take care is you need to enable multi-tenant flip switch option to Yes for the application which you have added in Azure Active directory.

Also now as per the concept of multi-tenant authentication we want user of any other tenant to access the application registered in some other tenant, for that we need to add user of one directory into other directory in which the application is registered.

As shown in the below image I have added User (myad2user) of

Directory2 (ad2) in Directory1 (ad1).

users

Let’s create a simple ASP.Net application since we will be implementing a multi-tenant authentication on that uses Azure AD using the .Net app.

We will be using Visual Studio since it has many embedded features that will be useful for us when implementing single sign-on.

  1. Open Visual Studio.

  2. Go to File -> New -> Project and the following screen will appear.

    New
  1. Go to installed templates -> Visual C# ->Cloud ->QuickStarts ->App Services->Select Azure Active Directory: Web Authentication with OpenID Connect OWIN middleware.

  2. Significance of using OpenID Connect Connect OWIN middleware template: By using the OpenID Connect middleware you don’t need to do anything extra apart from just passing the clientID and tenant URL which you have configured in Azure AD.Also by using the readymade template for OpenID connect OWIN middleware template automatically all the OpenID’s dlls get added in references.

    code
  1. Now open FilterConfig.cs file and add filters. Add (new AuthorizeAttribute ()) so as to display the login screen before the Home Page.

  2. Also replace the values of client id and tenant in the web.config file with the actual values we have configured in azure AD while registering our application as shown below.

    user

  3. Make sure in the PostLogoutRedirectUri you set the project URL to your local projectURL and also this URL we need to register in the directory under which our application has been configured.

    We need to set this URL to SIGN-ON URL and REPLY URL in azure ad against the application which we have registered.

    For example in my case my project URL is: https://localhost:44320/ and I have set it to sign-on URL and reply URL to ad1tenant in the azure portal as shown in the below images.

    user

    user

  4. Now let’s run the application locally with 2 different users myad1user (user of tenant AD1) and myad2user (user of tenant AD2).

  5. First I sign in with myad1user.

    user

    user

    So as you can see from the above image I am able to sign in with myad1user.

  6. But from multi-tenant point of view which is the main focus of our article let’s see if we are able to sign in with myad2user of another tenant AD2.

    tenant

    user’s

So as you can see from above images we are done we are able to sign in with user of another directory i.e. tenant as well.

Now let’s publish our application to Azure. For publishing web app to azure refer Single Tenant Authentication Using Azure AD in ASP.Net.

Note: Once your web app is created please replace the following value of PostLogoutRedirectUri with the actual webapp URL.

<addkey="ida: PostLogoutRedirectUri"value="https://localhost:44320/" />

Also in the azure portal please replace the sign-on url and reply-url with the actual webapp url.

Now I have done with publishing of my application to webapp on azure, I will once again authenticate the app with my 2 user’s viz. myad1user (User in AD1 tenant) and myad2user (User in AD2 tenant).

user’s

user’s

As you can see from above images I am able to login to the azure published webapp with my 2 users viz. myad1user (User in AD1 tenant) and myad2user (User in AD2 tenant).

Summary

In the above article I have demonstrated the following things:

  1. What do we mean by Multi Tenancy?
  2. How to configure an application for multi tenancy.
  3. How to add users from one directory to other directory.
  4. How to create an application in ASP.Net which uses multi tenancy.
Read more articles on Azure:


Similar Articles