The answer depends on what protocol and identity middleware/framework you're using to sign in to Azure AD. If you built your app in VS2012 and used the Identity and Access tool to connect it to Azure AD, you're probably using WS-Federation (protocol) and Windows Identity Foundation (WIF) 4.5 (framework). The same applies if you're using VS2013 and clicked the "Change Authentication" button when creating a new web application, then signed in to your Azure AD directory. For these scenarios, you should know that WIF uses HTTP modules to handle WS-Fed and session management, and you need to interact with the session module to end a user's session and sign them out. To just sign the user out from the application (which clears their federated auth cookie), you need to invoke the SignOut()
method on the session module like shown:
FederatedAuthentication.SessionAuthenticationModule.SignOut();
If you want single sign-out, which signs the user out of all the applications they're currently signed into with Azure AD, WS-Federation has its own sign out flow that involves sending a specific sign-out message back to Azure AD to let it know that the user has signed out. See this topic for more info and scroll down to the section about sign out.
If you are using VS2013 and OWIN authentication middleware, you just need to get the current OWIN context's authentication "manager" and call its SignOut()
method, something like shown:
HttpContext.GetOwinContext().Authentication.SignOut()