I was able to run this sample successfully from a commercial AD tenant and log in with users from multiple tenants. However, when I register the app in a government tenant and try to register as a user from a different AD tenant, I'm getting the following error:

Application with identifier '9240c326-325a-48e2-8382-0efde95ee41e' was not found in the directory sasdomain1.onmicrosoft.com

• I have followed all the steps in the instructions.
• I've taken the specific steps outlined for making it work in Azure Government.
• Once completed, I can log in with a user account in the government tenant that the app is registered but when attempting to log in with a user from a different AD tenant I get the above error.

The user's tenant allows users to consent to apps accessing company data on their behalf.
I have double-checked the app registration and the "availableToOtherTenants" flag is true.

Here is the error including the correlation ID from my last attempt:

Correlation ID: f7b94d33-0aa9-4ea4-b2b2-13184d9d0f37
--
Timestamp: 2017-12-21 14:58:19Z
AADSTS70001: Application with identifier '9240c326-325a-48e2-8382-0efde95ee41e' was not found in the directory sasdomain1.onmicrosoft.com

Any help would be greatly appreciated.

Signing up to an Azure AD tenant using user account without administrator rights results in ArgumentNullException, instead of showing error page to user.

URL: https://localhost:44302/Onboarding/ProcessCode?error=access_denied&error_description=AADSTS50020%3a+This+operation+can+only+be+performed+by+an+administrator.+Sign+out+and+sign+in+as+an+administrator+or+contact+one+of+your+organization%27s+administrators.%0d%0aTrace+ID%3a+9b74479f-9f79-410f-b8f9-b07b32054739%0d%0aCorrelation+ID%3a+d0b1675b-ddba-4e8f-be7a-742409c954f3%0d%0aTimestamp%3a+2014-06-23+08%3a13%3a26Z&state=e7fa069e-d053-44b1-8f50-664d162cd22b

Server Error in '/' Application.

Value cannot be null.
Parameter name: authorizationCode

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: authorizationCode

Source Error:

Line 74:                                                                    ConfigurationManager.AppSettings["ida:Password"]);
Line 75:                 AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/common/");
Line 76:                 AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
Line 77:                     code, new Uri(Request.Url.GetLeftPart(UriPartial.Path)), credential);
Line 78: 

Source File: c:\Users\Jozef\Documents\GitHub\WebApp-MultiTenant-OpenIdConnect-DotNet\TodoListWebApp\Controllers\OnboardingController.cs
Line: 76

Stack Trace:

[ArgumentNullException: Value cannot be null.
Parameter name: authorizationCode]
   Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask(Task`1 task) +49
   Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenByAuthorizationCode(String authorizationCode, Uri redirectUri, ClientCredential clientCredential) +63
   TodoListWebApp.Controllers.OnboardingController.ProcessCode(String code, String error, String error_description, String resource, String state) in c:\Users\Jozef\Documents\GitHub\WebApp-MultiTenant-OpenIdConnect-DotNet\TodoListWebApp\Controllers\OnboardingController.cs:76
   lambda_method(Closure , ControllerBase , Object[] ) +297
   System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +156
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
   System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22
   System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
   System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +50
   System.Web.Mvc.Async.<>c__DisplayClass48.<InvokeActionMethodFilterAsynchronouslyRecursive>b__41() +225
   System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
   System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26
   System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
   System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +36
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +54
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
   System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +28
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +54
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
   System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
   System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +36
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +54
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9651188
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34209

I have downloaded active-directory-dotnet-webapp-multitenant-openidconnect project, but can't sign up, getting error

Additional technical information:

Correlation ID: 509e2036-18ee-4a86-90da-81cf14f20314
Timestamp: 2017-11-24 12:15:22Z
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'IMPActiveDir' and cannot access the application '2e6c9ae2-8733-41a6-9e01-ec1e14061c7e' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

From my visual version 2015, run app -
I see the app and click "sign-in"
see my Azure registered App Name and proceed to sign-in
page switches to "Working..."
I have other examples working but can not get this Multi-Tenet one working - please help, Tim:
RESOLVED:
I had to use the below in web.config

from Swaroop

Does this need a SQL connection. I see the following error while signing up. In the following code. I am using Visual Studio 2015 preview if that helps. Seems like the entity framework is not configure correctly for me.

    // POST: /Onboarding/SignUp
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult SignUp([Bind(Include="ID,Name,AdminConsented")] Tenant tenant)
    {
        // generate a random value to identify the request
        string stateMarker = Guid.NewGuid().ToString();
        // store it in the temporary entry for the tenant, we'll use it later to assess if the request was originated from us
        // this is necessary if we want to prevent attackers from provisioning themselves to access our app without having gone through our onboarding process (e.g. payments, etc)
        tenant.IssValue = stateMarker;
        tenant.Created = DateTime.Now;
        db.Tenants.Add(tenant);  // exception from here.
        db.SaveChanges();

An exception of type 'System.Data.SqlClient.SqlException' occurred in EntityFramework.dll but was not handled in user code

Additional information: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 50 - Local Database Runtime error occurred. Cannot create an automatic instance. See the Windows Application event log for error details.

)

Would it be possible to add a "How to recreate this sample" section in the README.md like some of the other repos have?

Hi I have tested a lot of Sample Applications lately that uses Azure AD and/or Graph for User Authentication and user information. All Samples works perfectly on Development platform locally but as soon as you deploy to Azure Non of the samples are working.

This Sample for instance is lacing information of where the Task list Objects are stored.
I assume it is in Local DB. For deployment on Azure do one need to add a connectionstring to a Azure SQL database?

Please advice on how to get this sample work on Azure. I have followed the instructions provided but..... something is missing

Hi,
Would it be possible to build a version of this sample that uses OAuth V2 - the new MSAL libraries and the App Registration done via the app registration portal?

This is what I am trying to do and it has my head so demented at this stage!

Thanks

Donal

The current release of katana is 4.0+.
https://github.com/aspnet/AspNetKatana/

Using 3.0 pulls in System.IdentityModel.Tokens.Jwt 4.x, which is not compatible with 5.x.
Asp.Net Core uses S.IM.Tokens.Jwt 5.x so this makes migration from Katana to Core simpler and more direct.

You will need to update the project target to 4.5.1 or 4.5.2 as Katana 4.0 does not support 4.5.

Deployed to IIS to a non root folder like https://server/sites/sample and configured this as reply url. On trying to sign up, the login fails with the error
AADSTS70000: The redirect address 'https://server/Onboarding/ProcessCode' is not valid.
The redirection should have happened to https://server/sites/sample/Onboarding/ProcessCode instead.

Hi,
Is it possible to provide the database table scripts for this project?

I have created database on my local pc,
I replace base("TodoListWebAppContext") by base("Data Source=COM-59;Initial Catalog=ADMultiTenantDemo;User ID=sa;Password=manager;")
Now getting error Model compatibility cannot be checked because the database does not contain model metadata.

After submitting application in Azure AD, error during signup

please check screen shot.

In case using China Azure 'Mooncake', we should replace all ".windows.net" with ".chinacloudapi.cn" for the resource URLs including "login","sts" and "graph".

More reference: Developer Notes for Azure in China Applications http://msdn.microsoft.com/en-us/library/azure/dn578439.aspx

Test Passed.

I was trying to sign up using a different tenant, regular user account. Instead of a consent dialog got this:

Sorry, but we’re having trouble signing you in.
We received a bad request.

AADSTS70001: Application with identifier XXX was not found in the directory YYY.onmicrosoft.com

The suggested code is:

TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = false,
}

An alternative is to set the delegate: TokenValidationParameters.IssuerValidator

Control will be passed to this delegate that has a signature:
(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)

The application can then make a dynamic decision determining if the issuer is valid.

Should a user from the same tenant need to sign up?
if the user simply signs in, unhandled exception is thrown

An exception of type 'System.IdentityModel.Tokens.SecurityTokenValidationException' occurred in TodoListWebApp.dll but was not handled in user code

Additional information: System error.

And why check in packages folder without dlls? Is this an established nuget workflow?

This sample works fine for me locally, but when I deploy to a Windows Azure data center (with an SSL certificate), the following errors occur when attempting to do a SignUp. Given there is a SqlException in the stack trace, I am wondering if there is some database configuration needed? Some Azure deployment tips would be really useful.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The system cannot find the file specified

[Win32Exception (0x80004005): The system cannot find the file specified]

[SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 52 - Unable to locate a Local Database Runtime installation. Verify that SQL Server Express is properly installed and that the Local Database Runtime feature is enabled.)]
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) +6564850 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +815 System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, Boolean withFailover) +6590016 System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover) +219 System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout) +6592544 System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance) +6592983 System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData) +878 System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) +1162 System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) +72 System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +6596173 System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) +103 System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +2102 System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +116
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +1079 System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) +6600667
System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry) +233 System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry) +278
System.Data.SqlClient.SqlConnection.Open() +239
System.Data.Entity.Infrastructure.Interception.InternalDispatcher1.Dispatch(TTarget target, Action2 operation, TInterceptionContext interceptionContext, Action3 executing, Action3 executed) +207
System.Data.Entity.Infrastructure.Interception.DbConnectionDispatcher.Open(DbConnection connection, DbInterceptionContext interceptionContext) +438
System.Data.Entity.SqlServer.<>c__DisplayClass1.b__0() +15
System.Data.Entity.SqlServer.DefaultSqlExecutionStrategy.Execute(Func1 operation) +263 System.Data.Entity.SqlServer.SqlProviderServices.UsingConnection(DbConnection sqlConnection, Action1 act) +391
System.Data.Entity.SqlServer.SqlProviderServices.UsingMasterConnection(DbConnection sqlConnection, Action1 act) +749 System.Data.Entity.SqlServer.SqlProviderServices.DbCreateDatabase(DbConnection connection, Nullable1 commandTimeout, StoreItemCollection storeItemCollection) +314
System.Data.Entity.Migrations.Utilities.DatabaseCreator.Create(DbConnection connection) +281
System.Data.Entity.Migrations.DbMigrator.EnsureDatabaseExists(Action mustSucceedToKeepDatabase) +230
System.Data.Entity.Internal.DatabaseCreator.CreateDatabase(InternalContext internalContext, Func3 createMigrator, ObjectContext objectContext) +130 System.Data.Entity.Database.Create(DatabaseExistenceState existenceState) +267 System.Data.Entity.DropCreateDatabaseIfModelChanges1.InitializeDatabase(TContext context) +214
System.Data.Entity.Internal.InternalContext.PerformInitializationAction(Action action) +66
System.Data.Entity.Internal.InternalContext.PerformDatabaseInitialization() +596
System.Data.Entity.Internal.RetryAction1.PerformAction(TInput input) +208 System.Data.Entity.Internal.LazyInternalContext.InitializeDatabaseAction(Action1 action) +266
System.Data.Entity.Internal.InternalContext.GetEntitySetAndBaseTypeForType(Type entityType) +39
System.Data.Entity.Internal.Linq.InternalSet1.Initialize() +72 System.Data.Entity.Internal.Linq.InternalSet1.get_InternalContext() +21
System.Data.Entity.Internal.Linq.InternalSet1.ActOnSet(Action action, EntityState newState, Object entity, String methodName) +92 System.Data.Entity.Internal.Linq.InternalSet1.Add(Object entity) +165
System.Data.Entity.DbSet1.Add(TEntity entity) +70 TodoListWebApp.Controllers.OnboardingController.SignUp(Tenant tenant) in c:\dev\ESG\Broadway\src\main\ProofOfConcept\WebApp-MultiTenant\TodoListWebApp\Controllers\OnboardingController.cs:40 lambda_method(Closure , ControllerBase , Object[] ) +127 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +217
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +39 System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +12 System.Web.Mvc.Async.WrappedAsyncResult2.CallEndDelegate(IAsyncResult asyncResult) +139
System.Web.Mvc.Async.AsyncInvocationWithFilters.b__3d() +112
System.Web.Mvc.Async.<>c__DisplayClass46.b__3f() +452
System.Web.Mvc.Async.<>c__DisplayClass33.b__32(IAsyncResult asyncResult) +15
System.Web.Mvc.Async.<>c__DisplayClass2b.b__1c() +32
System.Web.Mvc.Async.<>c__DisplayClass21.b__1e(IAsyncResult asyncResult) +231
System.Web.Mvc.Controller.b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +29
System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +111 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +53 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +19
System.Web.Mvc.MvcHandler.b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +51
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +111
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +606
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

can you update this code to work with latest version of Microsoft.Identity.Client.dll which is a Preview version (v1.1.0-preview), currently available?

Since the administrator of the tenant has already provided permission "Enable sign-on and read users' profiles" on the Azure portal, he should not be asked fro consent when he tries to sign up

hi,
i have created another tenant, but when i tried to sign in with that its not working.

In my Azure Active directory, i created new directory with new domain, do i need to assing any application to it. i get exception as

An exception of type 'System.IdentityModel.Tokens.SecurityTokenValidationException' occurred in TodoListWebApp.dll but was not handled in user code

what could be the reason

Hi ,

I have configured the applciation and Azure portal as per description but not able to login with different tenant user .
I can login only with the user of tenant whose client id is configured in application ..

I have using azure AD login option for office 365, I am using 2 separate client applications in my Azure AD for my production and development site, like below,
production: https://[email protected] (secured site)
development: http://[email protected]:88 (not secured)

the login works fine when login into the sites separately but getting an error while following below steps,

1. if I login into my production site, my development site not works.
2. The only difference we can notice is.ASPXAUTH cookie has been created while login into the production site.

until log out the production site, I can't login into the development site.
please suggest your solutions fix this.
The issue am facing is, after logged in from office 365 it redirects to below url http://[email protected]:88/members/register?returnUrl=http://[email protected]:88/
but it needs to be redirected to http://[email protected]:88 this link.

public static void ConfigureAuth(IAppBuilder app)
        {
            app.UseKentorOwinCookieSaver();
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    RedirectUri = redirectUri,
                    UseTokenLifetime = false,
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        SecurityTokenValidated = context =>
                        {
                            string returnUrl = context.AuthenticationTicket.Properties.RedirectUri;
                            context.AuthenticationTicket.Properties.RedirectUri = "/members/register?returnUrl="+ returnUrl; 
                            return Task.FromResult(0);
                        },
                        AuthenticationFailed = context =>
                        {
                            if (context.Exception.Message.StartsWith("OICE_20004") || context.Exception.Message.Contains("IDX10311"))
                            {
                                context.SkipToNextMiddleware();
                                context.Response.Redirect("/members/logon");
                                return Task.FromResult(0);
                            }

                            return Task.FromResult(0);
                        }
                    }
                });
        }
    }
}`

```

Hi,

Thanks for sharing the knowledge.

I have a question. Can we have an app-to-app(no user) system with multi-tenancy?

E.g. ClientApp1 Calls ServerApp with one tenant and ClientApp2 calls with another tenant? So ServerApp and both the ClientApp's are all in different tenant directories.

Thanks

how can i give grant permission page based on query string of permission.
Because i have requirement that some customers might only allow read only and some might allow read&write permission.
So i would like to have a way to give consent page based on querystring of permissions.
As of now i don't see any way to do it. So do i have to create multiple AD application with different application permission?

I've downloaded a zipped version of the code and just replaced the client Id and Password. I tried to login with my live Id who is also a user in my AAD, it returned a system error?

I have found the same issue with another sample, what we are trying to do basically is that we have lots of users part of our AAD added with live/outlook accounts. While login with regular AAD login works, users with live Ids and outlook Ids are not able to get the user token, is this a know thing or are we doing anything incorrectly?