https://stackoverflow.com/questions/22902564
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianRe: "The curveball in this scenario is I want to sync a local AD with Azure AD but each client will have their own local AD." I don't know enough about AD to know whether this makes sense directly, but the overall scenario (multi-tenant apps in Azure that allow clients from different ADs to authenticate cleanly in the cloud with the same credentials they use in on-prem AD) can be accomplished.
- Have each on-prem AD sync with Azure Active Directory. This is done through AAD DirSync tool that each site would need to implement. This (at a minimum) will securely copy key directory properties to AAD for use in the cloud (name, email, a password hash). Note that the AAD instance is unique to each tenant.
- Set up a multi-tenant application in ASP.NET. IF you have the very latest toolstack for VS, you can do this conveniently within Visual Studio - there's a page in the File New > ASP.NET Application flow that has a button to change the authentication method. Change it to Organization & Mult-tenant. This will update the settings in AAD (which you can then check in the portal in the Active Directory section under manage.windowsazure.com). This should at least show the basic steps. (Be prepared to log into the AAD associated with your app as Global Admin from within Visual Studio since establishing the trust to the app is a privileged operation - and can be adjusted in the portal (such as to add production endpoints).)
Now when you run this application there will be a discovery step - Home Realm Discovery (HRD) - where the end-user logs in with an email (adam@foo.com) which AAD will use to figure out which of the tenants this person is coming from (foo.com, not bar.com) and complete the login flow.
HTH.
