Building a Multi-tenant Application with Windows Azure Active Directory (Single Sign-on, Graph access and Role based Authorization)

We have just updated the Multi-tenant sample application for Windows Azure AD. The sample application shows how to add the following capabilities using Windows Azure AD:

  • Enable customers from different tenants to sign up for your application.
  • Single Sign-on with Windows Azure AD.
  • Adding Claims based on information in AD fetched via Azure AD Graph API and using the Claims for Authorization.
  • Access and manage Windows Azure AD data through Graph API.

We have published a walkthrough that takes you through the steps required for creating this sample. Let us know if you have any feedback on the walk through or the sample.

Comments

  • Anonymous
    March 27, 2013
    Hi,I keep getting the following error message:Access cannot be granted to this service because the service listing is not properly configured by the publisher.  An error has occurred while processing this application. Please try again later.   support informationCorrelation ID:EUS#6341d8bb-731d-4303-b978-044eeb4edfe8  Error code:1028  I have double checked my clientId and app domain but keep getting the above error.
  • Anonymous
    April 02, 2013
    Leon,At what step are you hitting this error? When you are trying "Grant Access" or after that?ThanksSrikanth
  • Anonymous
    April 03, 2013
    Hi Srikanth,It is at the point where I need to grant access. In other words, the error is displayed right after I have logged into Azure AD.Thanks,Leon
  • Anonymous
    April 03, 2013
    The most probable cause is that the ReturnURL that you specified to the Consent Page is not under the ReturnURL that you registered your application with. In sample application, the return URL for consent is constructed as follows: ConsentReturnUrl=@HttpUtility.UrlEncode(System.Text.Encoding.UTF8.GetBytes("https://localhost:44309/Account/HandleSignupConsentResponse")) which makes an assumption that your return URL is under local host. We should be picking this from web.config. We will fix it from our end. See if changing the Return URL to match your application settings fixes the problem for you.ThanksSrikanth
  • Anonymous
    April 18, 2013
    Hi Srikanth,I replaced the old url with the following and that is working - you will notice it is quite different from the old url:go.microsoft.com/fwLink["ClientId"]&ConsentReturnURL=@System.Configuration.ConfigurationManager.AppSettings["ConsentUrl"]Leon
  • Anonymous
    August 13, 2013
    Hi Azure Team, please give me some helpI was following the three steps tutorialstep1: msdn.microsoft.com/.../dn151790.aspxstep2: msdn.microsoft.com/.../dn151791.aspxstep3: msdn.microsoft.com/.../dn151789.aspxmy application is on adacldemo.azurewebsites.net, with the source code from your sample applicationI experience following issues under step2I log in as global administrator with role "company administrator", I am able to create/edit user/group/role, but receive "request_denied, insuffient priveledge to perform the action" exception when I try to delete user/group, assign role to user. the application itself is granted with "read/write" access from the ADI experience following issues under step3A. as described from this tutorial, I need a seller account in order to provide multiple tenant service, but there is no such information at  msdn.microsoft.com/.../dn151789.aspx, which one is correctB. I am receiving following exception after I successfully login as global administrator from my Azure AD, the "Grant Access" dialog pops up and displays following exception: (I was never given the chance to grant the access)Sorry! We can't process your request right nowThe service is temporarily offline for scheduled maintenance or we're investigating a problem. We're working to get it back online as quickly as possible.Correlation ID:NEU#2ea64359-b4d6-446f-b819-dec99a0d20cfOne more question:regarding the graph API, I assume that bulding "subgroup" relationship between groups is nothing more than having a link with property "subgroup"?RegardsMark