Multi-tenant ASP.NET Application using Azure AD

Users like simplicity when it comes to registration on some website, and still they hate remembering different usernames and passwords for each service they are using. They also like to feel secure and do not want to share their full social media data to the websites they like to use. Here the OAuth 2.0 protocol comes handy. OAuth is an open standard for authorization and works in a way that web apps do not have access to the user’s credentials, but the user can be still validated and authenticated on that web application with a couple of redirects and authorization codes exchanged with providers like Facebook, Google, Azure, Twitter.

With Microsoft Visual Studio it is very straight-forward to create an application that will use Azure AD Authentication. However, we can go one step further, and create a multi-tenant application. That means that not only users from our company (i.e. users belonging to one Active Directory) will be able to access the web application, but any user who is on Microsoft domain or has a Microsoft account (Live, Outlook, Hotmail) can access it. Further on, the web application can recognize the users that belong to the company that owns the application and can easily serve different content.

 

Web application can recognize the users that belong to the company that owns the application

 

First we need to create Active directory for the application. For testing purposes, we can create two active directories, so one to be owner and the other to be user of the application.

  1. Sign in to the Classic Azure Management Portal
  2. Navigate to the Active Directory, and then click New
  3. Select Custom Create, and enter the information for the AD

 

Creating Active directory for the application

 

4. Once the process is finished, navigate into that AD and then select the Users tab
5. Create a user

 

Creating a user

 

6.Repeat the steps 2-5 in order to create new AD and one user in second company

Once the domains are ready, you can proceed with creating new ASP.NET Web Application.

 

Creating a new ASP.NET Web Application

 

Choose MVC template, and click Change Authentication

 

changing authentication

 

On the “Change authentication” screen there are several options. If you choose Work and School Accounts, you will see a list of all your AD.

  1. Select Cloud – Multiple Organizations (for multi-tenant access)
  2. Select one of the domains you created earlier on your AD
  3. Click OK, and then again OK on the previous screen

And that’s it. Visual Studio will automatically create Multi-tenant application in your Azure AD, and will setup authentication and authorization hooks that will force the users to log into the Azure first before they can access the content in your application.

 

Log in into Azure Application

If we want to change the content of the application for different tenants, i.e. whether the user is within the organization or not, we can add property MainDomain in the appSettings section in our Web.config

Then add changes in Index() in our HomeController

And update the Home/Index.cshtml so the message will be shown

After running the application and login with 2 different users we can see that the content is different based on the user’s domain.

 

Different content on the user’s domain.

Dimitar Boshevski,

Microsoft Practice Lead