public async Task ConnectSubscription(string subscriptionId) { string directoryId = await resourceManagerUtility.GetDirectoryForSubscription(subscriptionId); if (!string.IsNullOrEmpty(directoryId)) { if (!User.Identity.IsAuthenticated || !directoryId.Equals((User.Identity as ClaimsIdentity).FindFirst ("http://schemas.microsoft.com/identity/claims/tenantid").Value)) { //This is where the actual magic of changing authentication authority happens var openIdFeature = HttpContext.Features[typeof(IHttpAuthenticationFeature)] as IHttpAuthenticationFeature; var openIdHandler = openIdFeature.Handler as MultiTenantOpenIdConnectHandler; openIdHandler.SetTenantAuthority(string.Format(azureADSettings.Authority, directoryId)); Dictionary <string, string> dict = new Dictionary <string, string>(); dict["prompt"] = "select_account"; await HttpContext.Authentication.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties(dict) { RedirectUri = this.Url.Action("ConnectSubscription", "Home") + "?subscriptionId=" + subscriptionId }); } else { string objectIdOfCloudSenseServicePrincipalInDirectory = await resourceManagerUtility.GetObjectIdOfServicePrincipalInDirectory(directoryId, azureADSettings.ClientId); await resourceManagerUtility.GrantRoleToServicePrincipalOnSubscription (objectIdOfCloudSenseServicePrincipalInDirectory, subscriptionId, directoryId); Subscription s = new Subscription() { Id = subscriptionId, DirectoryId = directoryId, ConnectedBy = signedInUserService.GetSignedInUserName(), ConnectedOn = DateTime.Now }; subscriptionRepository.AddSubscription(s); Response.Redirect(this.Url.Action("Index", "Home")); } } return; }