Developing ASP.NET Apps with Windows Azure Active Directory

By Rick Anderson|

Microsoft ASP.NET tools for Windows Azure Active Directory makes it simple to enable authentication for web applications hosted on Windows Azure Web Sites. You can use Windows Azure Authentication to authenticate Office 365 users from your organization, corporate accounts synced from your on-premise Active Directory or users created in your own custom Windows Azure Active Directory domain. Enabling Windows Azure Authentication configures your application to authenticate users using a single Windows Azure Active Directory tenant.

This tutorial was written by Bhavesh Chauhan and Rick Anderson( @RickAndMSFT ) .
This tutorial will walk you through creating an ASP.NET app configured with single organizational accounts hosted on Windows Azure Active Directory.


  1. Visual Studio Express 2013 RC for Web or Visual Studio 2013 RC.
  2. An account on Windows Azure. You can get a free account here.

Add a Global Admin to your Active Directory Account

  1. Log in to the Windows Azure Portal.
  2. Select or create a Windows Azure Active Directory (AD) account. If you have previously created a Windows Azure AD account, use that. If you don't have a Windows Azure AD account, create one. New Windows Azure subscribers will have an AD account called Default Directory.
  3. Create a new user in your AD account in the Global Administrator role.  Select your AD account and click Add User. (For more detailed instructions see Managing Windows Azure AD from the Windows Azure Portal 1– Sign Up with an Organizational Account )

  4. Enter a name for the user and then click the right arrow.

  5. Enter the user name and set the role to Global Administrator. Global admins require an alternate email address. Click the right arrow.

    Click Create. Copy the temporary password, you will need to change it the first time you log in.

Create an ASP.NET App

  1. In Visual Studio 2013 RC, create a new ASP.NET MVC or Web Forms project. Click Change Authentication.

  2. Select Organizational Accounts. Enter your domain name and then select Single Sign On, Read directory data. Click OK

    Note: Under More Options you can set the realm (Application ID URI). The App ID URI is automatically populated based on the project name with the format https://<domainname>/<projectname>. You can modify it to guarantee that it’s a valid App ID URI corresponding to the tenet. You can also specify an App ID URI  corresponding to any custom domains that you might have added using Windows Azure portal. For most uses, the default App ID URI works.

    While provisioning the application, the tool will look for an existing application with the specified App ID URI and overwrite values such as the return URL. You can uncheck the Overwrite option to always create a new application. The tool will automatically append a unique number at the end of App ID URI to ensure that it doesn’t conflict with an existing application.
  3. Enter the global admin account in your Active Directory.
  4. Click Create Project.
  5. Click Control F5 to run the project. Your browser will issue a SSL certificate warning because the certificate used by IIS Express is not trusted. Click the option in your browser which allows you to continue. When you deploy this project to Windows Azure, you won't see this warning because Windows Azure has a trusted certificate.
  6. Sign in with the organizational account you created.

  7. You are now logged in under the account you created.

Deploy the App to Windows Azure

  1. Create a new Web Site with a Database on the Windows Azure Portal. In the left pane, click on Web Sites, and then click the New button.
  2. Click on Custom Create.

  3. Publish the app to Windows Azure.
    Right click on the project and select Publish.
  4. On the Settings step, note that organizational authentication is enabled, and the directory access level is set to read. In the Database section, use the drop down control to set the connection string to the database.

  5. Navigate to the Windows Azure web site, and log on using the account you created. You no longer get a certificate warning.

Reading User Profile Information with the Graph API

The Visual Studio template for organizational accounts added a UserProfile action method and view.

public async Task<ActionResult> UserProfile()
    string tenantId = ClaimsPrincipal.Current.FindFirst(TenantSchema).Value;

    // Get a token for calling the Windows Azure Active Directory Graph
    AuthenticationContext authContext = new AuthenticationContext(String.Format(CultureInfo.InvariantCulture, LoginUrl, tenantId));
    ClientCredential credential = new ClientCredential(AppPrincipalId, AppKey);
    AuthenticationResult assertionCredential = authContext.AcquireToken(GraphUrl, credential);
    string authHeader = assertionCredential.CreateAuthorizationHeader();
    string requestUrl = String.Format(

    HttpClient client = new HttpClient();
    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
    request.Headers.TryAddWithoutValidation("Authorization", authHeader);
    HttpResponseMessage response = await client.SendAsync(request);
    string responseString = await response.Content.ReadAsStringAsync();
    UserProfile profile = JsonConvert.DeserializeObject<UserProfile>(responseString);

    return View(profile);

Clicking the UserProfile link shows this profile data for the logged in user.

More Information

Author Information

Rick Anderson

Rick Anderson – Rick Anderson works as a programmer writer for Microsoft, focusing on ASP.NET MVC, Windows Azure and Entity Framework. You can follow him on twitter via @RickAndMSFT.