Azure AD Multi-Tenant Single Sign-On (SSO) for ASP.NET Applications

What is Azure AD multi-tenant?

Azure Multi-tenant refers to a mode of operation in which a single instance of an Azure service or application serves multiple customers, known as tenants, in a shared environment. In this mode, each tenant is isolated from one another, and the user data of one tenant are inaccessible to other tenants.

Azure multi-tenant also provides benefits such as increased scalability and cost-effectiveness, as physical resources such as storage can be shared across multiple tenants, and the ability to quickly onboard new customers and expand services to new markets. However, it also requires careful design and management to ensure that tenant data and resources are properly isolated and secured.

Steps to configure Azure AD multi-tenant Single Sign-On (SSO)

1. Configure multi-tenancy in Azure AD

• Log in to Azure AD Portal as an admin.
• Select Azure Active Directory.

• Select App registrations.

• Click on New registration.

• Assign a name and choose the supported account types as Accounts in any orgnaizational directory (Any Azure AD directory - Multitenant).
• In the Redirect URL field, provide the ACS URL provided in the Service Provider Metadata tab of the plugin and click on the Register button.

• Navigate back to the Overview tab of your active directory, copy the Primary Domain and keep it handy.

• Copy the Application ID from the configured app and keep it handy.

• Navigate to Expose an API from the left menu panel.

• Click the Set button and replace the APPLICATION ID URL with https://Primary_Domain/Appication-Id that you have copied previously and click on Save.

• Go to the Authentication tab in the left panel and select ID Tokens (Used for implicit and Hybrid flows) option also make sure supported account types is Accounts in any orgnaizational directory (Any Azure AD directory - Multitenant) then click on Save.

• Navigate to API Permissions ⇒ Add Permission and select Microsoft Graph.

• Click on Application permission, then search for User.Read.All once the option is selected then click on Add permissions button.

• To proceed further click on Grant Admin Consent for Demo.

• Go back to Azure Active Directory ⇒ App Registrations window and click on Endpoints.

• This will navigate up to a window with multiple URLs.
• Copy the Federation metadata document URL to get the endpoints required for configuring your service provider.

2. Configure ASP.NET as Service Provider

• Paste the Federation Metadata URL in the Service Provider Setup tab of the plugin and click on Fetch Metadata.

• In the IdP configuration settings, check the Multi-Tenant Application option.

• Paste the Application ID URI from the Expose an API tab and paste it in the SP Entity ID/ Issuer under the Service Provider tab.

• Also replace the SAML Login URl and SAML Logout URl with https://login.microsoft.com/common/saml2 then click on save.

• Go to the Login Settings section, under the Additional Configuration setting, choose to restrict or allow particular tenant IDs to perform Single Sign-On and add the comma-seperated tenant IDs.

• Click on the test configuration and login with the tenant admin for the first time to allow the SSO login for that tenant.

We have successfully configured Microsoft Entra ID (formerly Azure AD) as an multi-tenant application as well as configured SAML Single Sign-On (SSO) for ASP.NET application as service provider and Azure Active Directory as an identity provider. We can also configure SAML Single Sign-On (SSO) for ASP.NET applications using various identity providers such as ADFS, Okta, Google, Auth0, PingFederate, Microsoft365, Salesforce and many more. To check other identity providers, click here.

Additional Resources

• ASP.NET SAML Single Sign-On (SSO)
• ASP.NET SAML SSO using Azure AD as IDP
• Frequently Asked Questions (FAQs)