Building a Multi-tenant Application with Windows Azure Active Directory (Single Sign-on, Graph access and Role based Authorization)

We have just updated the Multi-tenant sample application for Windows Azure AD. The sample application shows how to add the following capabilities using Windows Azure AD:

  • Enable customers from different tenants to sign up for your application.
  • Single Sign-on with Windows Azure AD.
  • Adding Claims based on information in AD fetched via Azure AD Graph API and using the Claims for Authorization.
  • Access and manage Windows Azure AD data through Graph API.

We have published a walkthrough that takes you through the steps required for creating this sample. Let us know if you have any feedback on the walk through or the sample. 

Comments (6)

  1. Hi,

    I keep getting the following error message:

    Access cannot be granted to this service because the service listing is not properly configured by the publisher.  

    An error has occurred while processing this application. Please try again later.  

     support information

    Correlation ID:


    Error code:


    I have double checked my clientId and app domain but keep getting the above error.

  2. Leon,

    At what step are you hitting this error? When you are trying "Grant Access" or after that?



  3. Hi Srikanth,

    It is at the point where I need to grant access. In other words, the error is displayed right after I have logged into Azure AD.



  4. The most probable cause is that the ReturnURL that you specified to the Consent Page is not under the ReturnURL that you registered your application with. In sample application, the return URL for consent is constructed as follows: ConsentReturnUrl=@HttpUtility.UrlEncode(System.Text.Encoding.UTF8.GetBytes("https://localhost:44309/Account/HandleSignupConsentResponse")) which makes an assumption that your return URL is under local host. We should be picking this from web.config. We will fix it from our end. See if changing the Return URL to match your application settings fixes the problem for you.



  5. Hi Srikanth,

    I replaced the old url with the following and that is working – you will notice it is quite different from the old url:["ClientId"]&ConsentReturnURL=@System.Configuration.ConfigurationManager.AppSettings["ConsentUrl"]


  6. Mark says:

    Hi Azure Team, please give me some help

    I was following the three steps tutorial




    my application is on, with the source code from your sample application

    I experience following issues under step2

    I log in as global administrator with role "company administrator", I am able to create/edit user/group/role, but receive "request_denied, insuffient priveledge to perform the action" exception when I try to delete user/group, assign role to user. the application itself is granted with "read/write" access from the AD

    I experience following issues under step3

    A. as described from this tutorial, I need a seller account in order to provide multiple tenant service, but there is no such information at…/dn151789.aspx, which one is correct

    B. I am receiving following exception after I successfully login as global administrator from my Azure AD, the "Grant Access" dialog pops up and displays following exception: (I was never given the chance to grant the access)

    Sorry! We can't process your request right now

    The service is temporarily offline for scheduled maintenance or we're investigating a problem. We're working to get it back online as quickly as possible.

    Correlation ID:


    One more question:

    regarding the graph API, I assume that bulding "subgroup" relationship between groups is nothing more than having a link with property "subgroup"?



Skip to main content