You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+4-25Lines changed: 4 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,7 +73,7 @@ In this step, you configure your *TodoListClient* project by registering a new a
73
73
74
74
### Step 7: Pre-authorize your client application
75
75
76
-
One of the ways to allow users from other directories to acces your Web API is by *pre-authorizing* the client applications to access your Web API by adding the Application Ids from client applications in the list of *pre-authorized* applications for your Web API. In order to do this:
76
+
One of the ways to allow users from other directories to acces your Web API is by *pre-authorizing* the client applications to access your Web API by adding the Application Ids from client applications in the list of *pre-authorized* applications for your Web API. By adding a pre-authorized client, you will not require user to consent to use your Web API. Follow the steps below to pre-authorize your Web Application::
77
77
78
78
1. Go back to the *Application registration portal* and open the properties of your **TodoListService**.
79
79
1. In the **Web API platform**, click on **Add application** under the *Pre-authorized applications* section.
@@ -88,7 +88,7 @@ One of the ways to allow users from other directories to acces your Web API is b
88
88
89
89
## Optional: Restrict sign-in access to your application
90
90
91
-
By default, when download this code sample and configure the application to use the Azure Active Directory v2 endpoint following the preceeding steps, both personal accounts - like outlook.com, live.com, and others - as well as Work or school accounts from any organizations that are integrated with Azure AD can sign in to your application. This is typically used on SaaS applications.
91
+
By default, when download this code sample and configure the application to use the Azure Active Directory v2 endpoint following the preceeding steps, both personal accounts - like outlook.com, live.com, and others - as well as Work or school accounts from any organizations that are integrated with Azure AD can request tokens and access your Web API.
92
92
93
93
To restrict who can sign in to your application, use one of the options:
94
94
@@ -97,29 +97,8 @@ To restrict who can sign in to your application, use one of the options:
97
97
You can restrict sign-in access for your application to only user accounts that are in a single Azure AD tenant - including *guest accounts* of that tenant. This scenario is a common for *line-of-business applications*:
98
98
99
99
1. In the **web.config** file of your **TodoListService**, change the value for the `Tenant` parameter from `Common` to the tenant name of the organization, such as `contoso.onmicrosoft.com` or the *Tenant Id*.
100
-
2.In your [OWIN Startup class](#configure-the-authentication-pipeline), set the `ValidateIssuer` argument to `true`.
100
+
2.Open **App_Start\Startup.Auth** file and set the `ValidateIssuer` argument to `true`.
101
101
102
-
### Option 2: Restrict access to a list of known organizations
103
-
104
-
You can restrict sign-in access to only user accounts that are in an Azure AD organization that is in the list of allowed organizations:
105
-
106
-
1. In your [OWIN Startup class](#configure-the-authentication-pipeline), set the `ValidateIssuer` argument to `true`.
107
-
2. Set the value of the `ValidIssuers` parameter to the list of allowed organizations.
108
-
109
-
### Option 3: Restrict the categories of users that can sign-in to your application
110
-
111
-
This scenario is a common for *SaaS* applications that are focused on either consumers or organizations, therefore want to block accepting either personal accounts or work or school accounts.
112
-
113
-
1. In the **web.config** file of your **TodoListService**, use on of the values below for `Tenant` parameter:
114
-
115
-
Value | Description
116
-
----- | --------
117
-
`common` | Users can sign in with any Work and School account, or Microsoft Personal account
118
-
`organizations` | Users can sign in with any Work and School account
119
-
`consumers` | Users can sign in with a Microsoft Personal account
120
-
121
-
> Note: the values above are not considered a *tenant*, but a *convention* to restrict certain categories of users
122
-
123
-
#### Option 4: Use a custom method to validate issuers
102
+
#### Option 2: Use a custom method to validate issuers
124
103
125
104
You can implement a custom method to validate issuers by using the **IssuerValidator** parameter. For more information about how to use this parameter, read about the [TokenValidationParameters class](https://msdn.microsoft.com/library/system.identitymodel.tokens.tokenvalidationparameters.aspx) on MSDN.
0 commit comments