Azure-Samples
diff --git a/‎1-WebApp-OIDC/1-1-MyOrg/README.md
Lines changed: 26 additions & 22 deletions b/‎1-WebApp-OIDC/1-1-MyOrg/README.md
Lines changed: 26 additions & 22 deletions
diff --git a/‎1-WebApp-OIDC/1-2-AnyOrg/README-1-1-to-1-2.md
Lines changed: 104 additions & 0 deletions b/‎1-WebApp-OIDC/1-2-AnyOrg/README-1-1-to-1-2.md
Lines changed: 104 additions & 0 deletions
@@ -6,7 +6,7 @@ level: 100
 client: ASP.NET Core Web App
 endpoint: AAD v2.0
 ---
-# Build an ASP.NET Core Web app signing-in users with the Microsoft identity platform
+# An ASP.NET Core Web app signing-in users with the Microsoft identity platform in your organization
 
 > This sample is for Azure AD, not Azure AD B2C. See [active-directory-b2c-dotnetcore-webapp](https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp), until we incorporate the B2C variation in the tutorial.
 
@@ -18,7 +18,8 @@ This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Conn
 
 ![Sign in with Azure AD](ReadmeFiles/sign-in.png)
 
-> This is the first phase of a set of tutorials. Once you understand how to sign-in users in an ASP.NET Core Web App with Open Id Connect, can learn how to enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user) in a later chapter
+> This is the first chapter of this ASP.NET Core Web App tutorial. Once you understand how to sign-in users in an ASP.NET Core Web App with Open Id Connect, can learn how to enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user) in a later chapter.
+  You can also sign-in users in any or several Azure Active Directory organizations, and even with Microsoft personal accounts or social identities. For more details the parent directory's [Readme.md](../Readme.md)
 
 ## How to run this sample
 
@@ -35,15 +36,15 @@ There is one project in this sample. To register it, you can:
   1. On Windows run PowerShell and navigate to the solution's folder
   2. In PowerShell run:
 
-  ```PowerShell
-  Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
-  ```
+     ```PowerShell
+     Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
+     ```
 
   3. Run the script to create your Azure AD application and configure the code of the sample application accordinly
 
-  ```PowerShell
-  .\AppCreationScripts\Configure.ps1
-  ```
+     ```PowerShell
+     .\AppCreationScripts\Configure.ps1
+     ```
 
    > Other ways of running the scripts are described in [App Creation Scripts](./AppCreationScripts/AppCreationScripts.md)
 
@@ -75,8 +76,8 @@ As a first step you'll need to:
        - `https://localhost:44321/signin-oidc`
    - In the **Advanced settings** section set **Logout URL** to `https://localhost:44321/signout-oidc`
    - In the **Advanced settings** | **Implicit grant** section, check **ID tokens** as this sample requires
-     the [Implicit grant flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to
-     sign-in the user, and call an API.
+     the [Implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to
+     sign-in the user.
 1. Select **Save**.
 
 > Note that unless the Web App calls a Web API, no certificate or secret is needed.
@@ -120,24 +121,24 @@ cd "1-WebApp-OIDC\1-1-MyOrg"
 
    - at the top of the file, add the following using directive:
 
-   ```CSharp
-    using Microsoft.Identity.Web;
-    ```
+     ```CSharp
+      using Microsoft.Identity.Web;
+      ```
 
    - in the `ConfigureServices` method, replace the two following lines:
 
      ```CSharp
-         services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
-                 .AddAzureAD(options => Configuration.Bind("AzureAd", options));
+      services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
+              .AddAzureAD(options => Configuration.Bind("AzureAd", options));
      ```
 
      by this line:
 
      ```CSharp
-            services.AddAzureAdV2Authentication(Configuration);
+      services.AddAzureAdV2Authentication(Configuration);
      ```
 
-     This enables your application to use the Microsoft identity platform (fomerly Azure AD v2.0) endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
+     This enables your application to use the Microsoft identity platform (formerly Azure AD v2.0) endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
 
     1. Change the `Properties\launchSettings.json` file to ensure that you start your web app from <https://localhost:44321> as registered. For this:
     - update the `sslPort` of the `iisSettings` section to be `44321`
@@ -149,7 +150,6 @@ cd "1-WebApp-OIDC\1-1-MyOrg"
 
 2. Open your web browser and make a request to the app. Accept the IIS Express SSL certificate if needed. The app immediately attempts to authenticate you via the Azure AD v2 endpoint. Sign in with your personal account or with work or school account.
 
-> Did the sample not work for you as expected? Did you encounter issues trying this sample? Then please reach out to us using the [GitHub Issues](../../../../issues) page. 
 
 ## Toubleshooting
 
@@ -159,6 +159,8 @@ ASP.NET core applications create session cookies that represent the identity of
 
 If your web site needs to be accessed from users using iOS 12, you probably want to disable the SameSite protection, but also ensure that state changes are protected with CSRF anti-forgery mecanism. See the how to fix section of [Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #4647](https://github.com/aspnet/AspNetCore/issues/4647)
 
+> Did the sample not work for you as expected? Did you encounter issues trying this sample? Then please reach out to us using the [GitHub Issues](../../../../issues) page.
+
 ## About The code
 
 This sample shows how to use the OpenID Connect ASP.NET Core middleware to sign in users from a single Azure AD tenant. The middleware is initialized in the `Startup.cs` file by passing it the Client ID of the app, and the URL of the Azure AD tenant where the app is registered. These values are  read from the `appsettings.json` file. The middleware takes care of:
@@ -169,18 +171,20 @@ This sample shows how to use the OpenID Connect ASP.NET Core middleware to sign
 
 You can trigger the middleware to send an OpenID Connect sign-in request by decorating a class or method with the `[Authorize]` attribute or by issuing a challenge (see the [AccountController.cs](https://github.com/aspnet/AspNetCore/blob/master/src/Azure/AzureAD/Authentication.AzureAD.UI/src/Areas/AzureAD/Controllers/AccountController.cs) file which is part of ASP.NET Core):
 
-
 The middleware in this project is created as a part of the open-source [ASP.NET Core Security](https://github.com/aspnet/aspnetcore) project.
 
 These steps are encapsulated in the [Microsoft.Identity.Web](..\..\Microsoft.Identity.Web) project, and in particular in the [StartupHelper.cs](..\..\Microsoft.Identity.Web\StartupHelper.cs) file
 
 ## Next steps
-
-- Learn how to enable [any organization](../1-2-AnyOrg) or [any Microsoft accounts](../1-3-AnyOrgOrPersonal) to sign-in
-- Learn how to enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user)
+Learn how to:
+- Change your app to sign-in users from [any organization](../1-2-AnyOrg/README-1-1-to-1-2.md) or [any Microsoft accounts](../1-3-AnyOrgOrPersonal/README-1-1-to-1-3.md)
+- Enable users from [National clouds](../1-4-Sovereign) to sign-in to your application
+- enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user)
 
 ## Learn more
 
+To understand more about token validation, see
+- [Validating tokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/ValidatingTokens)
 To understand more about app registration, see:
 
 - [Quickstart: Register an application with the Microsoft identity platform (Preview)](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app)
 
@@ -0,0 +1,104 @@
+---
+services: active-directory
+platforms: dotnet
+author: jmprieur
+level: 100
+client: ASP.NET Core Web App
+endpoint: AAD v2.0
+---
+# Change your ASP.NET Core Web app to sign-in users in any org with the Microsoft identity platform
+
+> This sample is for Azure AD, not Azure AD B2C. See [active-directory-b2c-dotnetcore-webapp](https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp), until we incorporate the B2C variation in the tutorial.
+
+![Build badge](https://identitydivision.visualstudio.com/_apis/public/build/definitions/a7934fdd-dcde-4492-a406-7fad6ac00e17/514/badge)
+
+## Scenario
+
+![Sign in with Azure AD](ReadmeFiles/sign-in.png)
+
+> This is the second chapter of the first phase of this ASP.NET Core Web App tutorial. You learnt previously how to build an ASP.NET Core Web app signing-in users with the Microsoft identity platform in [your organization](../1-1-MyOrg). This chapter describes how to change that application to enable users to sign-in from any organization.
+>
+> If you are not interested in the differentials, but want to understand all the steps, read the full [Readme.md](./Readme.md)
+
+## Enable users from any organization to sign-in to your Web app
+
+### Changes to the application registration
+
+Your application was registered to sign-in users in [your organization](../1-1-MyOrg) only. To enable users signing-in from any organization, you need to change the app registration in the Azure portal
+
+1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
+1. Find your application in the list and select it.
+1. In the **Authentication** section for your application, in the **Supported account types** section, select **Accounts in any organizational directory**.
+1. Select **Save**
+
+### Changes to the code
+
+You will also need to change the configuration file in the code:
+
+In the **appsettings.json** file, replace the `TenantId` value with `"organizations"`
+
+### Remark: effective sign-in audience
+
+The actual sign-in audience (accounts to sign-in) is the lowest set of what is specified in both the application registration portal and the `appsetttings.json` config file. In other words, you could also achieve the same result by:
+
+- setting in the portal the **Supported account types** to **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)** and set the `TenantId` value to `"organizations"` in the **appsettings.json** file
+- setting in the portal the **Supported account types** to **Accounts in any organizational directory** and set the `TenantId` value to `"common"` in the **appsettings.json** file
+
+## How to restrict users from specific organizations to sign-in to your web app
+
+In order to restrict users from specific organizations to sign-in to your web app, you'll need to follow the steps above, and customize a bit more the code to restrict the valid token issuers. The token issuers are really the tenanted Azure AD authority which are allowed to issue a token to access your web application.
+
+In the `Startup.cs` file, in the `ConfigureServices` method, after `services.AddAzureAdV2Authentication(Configuration)` add some code to validate specific issuers by overriding the `TokenValidationParameters.IssuerValidator` delegate.
+
+```CSharp
+    public void ConfigureServices(IServiceCollection services)
+    {
+    ...
+    // Sign-in users with the Microsoft identity platform
+    services.AddAzureAdV2Authentication(Configuration);
+
+    // Restrict users to specific belonging to specific tenants
+    services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
+    {
+        options.TokenValidationParameters.IssuerValidator = ValidateSpecificIssuers;
+    });
+   ...
+```
+
+An example of code for `ValidateSpecificIssuers` is the following:
+
+```CSharp
+    private string ValidateSpecificIssuers(string issuer, SecurityToken securityToken,
+                                          TokenValidationParameters validationParameters)
+    {
+        var validIssuers = GetAcceptedTenantIds()
+                             .Select(tid => $"https://login.microsoftonline.com/{tid}");
+        if (validIssuers.Contains(issuer))
+        {
+            return issuer;
+        }
+        else
+        {
+            throw new SecurityTokenInvalidIssuerException("The accounts does not belong to one of the tenants that this Web App accepts to sign-in.");
+        }
+    }
+
+    private string[] GetAcceptedTenantIds()
+    {
+        // If you are an ISV who wants to make the Web app available only to certain customers who
+        // are paying for the service, you might want to fetch this list of accepted tenant ids from
+        // a database.
+        // Here for simplicity we just return a hard-coded list of TenantIds.
+        return new[]
+        {
+            "<GUID1>",
+            "<GUID2>"
+        };
+    }
+```
+
+## Next steps
+
+- Learn how to enable [any Microsoft accounts](../1-3-AnyOrgOrPersonal) to sign-in to your application
+- Learn how to enable users from [National clouds](../1-4-Sovereign) to sign-in to your application
+- Learn how to enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user)