To test your application in Visual Studio, press F5 to run your project. The browser opens to the http://localhost:{port} location and you see the Sign in with Microsoft button. Select the button to start the sign-in process.
When you're ready to run your test, use a Microsoft Azure Active Directory (Azure AD) account (work or school account) or a personal Microsoft account (live.com or outlook.com) to sign in.
After you sign in, the user is redirected to the home page of your website. The home page is the HTTPS URL that is specified in your application registration information in the Microsoft Application Registration Portal. The home page includes a welcome message "Hello <User>," a link to sign out, and a link to view the user’s claims. The link for the user's claims browses to the Authorize controller that you created earlier.
To see the user's claims, select the link to browse to the controller view that is available only to authenticated users.
After you browse to the controller view, you should see a table that contains the basic properties for the user:
| Property | Value | Description |
|---|---|---|
| Name | User's full name | The user’s first and last name. |
| Username | user@domain.com | The username that is used to identify the user. |
| Subject | Subject | A string that uniquely identifies the user across the web. |
| Tenant ID | Guid | A guid that uniquely represents the user’s Azure AD organization. |
In addition, you should see a table of all claims that are in the authentication request. For more information, see the list of claims that are in an Azure AD ID Token.
To test access to the Authorize controller for the user's claims as an anonymous user, follow these steps:
- Select the link to sign out the user and complete the sign-out process.
- In your browser, type http://localhost:{port}/authenticated to access your controller that is protected with the Authorize attribute.
You're prompted to authenticate to use the protected controller view.
To protect your entire website, in the Global.asax file, add the AuthorizeAttribute attribute to the GlobalFilters filter in the Application_Start method:
GlobalFilters.Filters.Add(new AuthorizeAttribute());By default, personal accounts like outlook.com, live.com, and others can sign in to your application. Work or school accounts in organizations that are integrated with Azure AD can also sign in by default.
To restrict user sign-in access for your application, several options are available.
You can restrict sign-in access for your application to only user accounts that are in a single Azure AD organization:
- In the web.config file, change the value for the Tenant parameter. Change the value from Common to the tenant name of the organization, such as contoso.onmicrosoft.com.
- In your OWIN Startup class, set the ValidateIssuer argument to true.
You can restrict sign-in access to only user accounts that are in an Azure AD organization that is in the list of allowed organizations:
- In the web.config file, in your OWIN Startup class, set the ValidateIssuer argument to true.
- Set the value of the ValidIssuers parameter to the list of allowed organizations.
You can implement a custom method to validate issuers by using the IssuerValidator parameter. For more information about how to use this parameter, read about the TokenValidationParameters class on MSDN.
[!INCLUDE Help and support]