In this blog post, I will give you an overview on how to create users in WAP and have them sign in. As you might already know, the Authentication and Authorization processes are separated into their own entities making the stack flexible enough to plug in your own custom Authentication system (eg. AD FS).

In an Express installation, the authentication is performed at the Admin and Tenant Authentication Sites (where the users enter their credentials) and the authorization is performed at the Service Management API layer. Hence, information about a user needs to be added at both these locations for users to be able to both sign in and get access to their subscriptions.

This blog will give you information on how to create a user in the Tenant Authentication Site and in the Service Management API layer.

Note: If you have other Identity Providers plugged into your system, you should create users appropriately in that system apart from creating the user in the Service Management API layer. The section on creating users in the Tenant Authentication site will not apply to you.

You can download the sample at The ‘UserSignUp’ project is what we will be discussing in this post.

Creating users in the Authentication system

As mentioned in the note above, if you have a custom Identity Provider plugged into your WAP stack, you should follow the appropriate steps to add the user into that identity system. This section is applicable only if you use the out-of-the-box Tenant Authentication Site.

The Tenant Authentication Site uses an out-of-the-box ASP.NET Membership Provider to provide identities. Therefore, you can use the standard ASP.NET Membership APIs to create users in the database. You can find more info on Membership Provider here:

The information required by the ASP.NET Membership API is specified in the App.Config. This includes specifying the Connection String to the Membership Database and some information that describes the configuration of the ASP.Net Membership Provider. Replace the Connection String in the code below to point to your database and use the appropriate authentication method.

   1: <connectionStrings>
   2:   <!-- Modify the connection string to point to the Windows Azure Pack Membership Database -->
   3:   <add name="WapMembershipDatabase" connectionString="Data Source=DatabaseName;User Id=sa; Password=password; Initial Catalog=Microsoft.MgmtSvc.PortalConfigStore;" />
   4: </connectionStrings>
   5: <system.web>
   6:   <membership defaultProvider="SqlProvider" hashAlgorithmType="HMACSHA256">
   7:     <providers>
   8:       <clear />
   9:       <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider"
  10:            enablePasswordRetrieval="false" 
  11:            enablePasswordReset="true" 
  12:            requiresQuestionAndAnswer="false"
  13:            requiresUniqueEmail="false" 
  14:            maxInvalidPasswordAttempts="5" 
  15:            minRequiredPasswordLength="8" 
  16:            minRequiredNonalphanumericCharacters="0"
  17:            passwordAttemptWindow="30" 
  18:            applicationName="/" 
  19:            passwordCompatMode="Framework40"
  20:            connectionStringName="WapMembershipDatabase"
  21:            passwordFormat="Hashed" />
  22:     </providers>
  23:   </membership>

Note: If you have been using the Preview version of the Windows Azure Pack, you have to update your user creation logic to use SHA-256 encryption for your password hashes (specified by the ‘hashAlgorithmType’ value in the App.Config.

Once this is done you have to call the CreateUser() method to create the user in the Membership Database. Note that I am specifying the email address as the username as expected by the ASP.Net Membership Provider.

   1: Membership.CreateUser(emailAddress, password, emailAddress);

Creating users in the Service Management API

This is the second step that enables authorization of the user. Windows Azure Pack provides you with PowerShell cmdlets that facilitate user creation in the API layer. That apart, you can also use the Admin APIClient interfaces that are available as a part of the Sample code found at

Both the methods involve getting an Identity token for the Administrator, and posting a create user call to the Service Management API layer.


You can use the Get-MgmtSvcToken token to get the token from the Windows Authentication Site. If you are using other identity Providers, you must obtain the token appropriately.

   1: $token = Get-MgmtSvcToken -Type 'Windows' -AuthenticationSite 'https://myenvironment:30072' -ClientRealm 'http://azureservices/AdminSite'

Once you have the identity token, you can use the Add-MgmtSvcUser cmdlet to create a Tenant user.

   1: Add-MgmtSvcUser  -AdminUri 'https://myenvironment:30004' -Token $token -Name '' -email '' -State 'Active'

Note: If you are using this snippet in a test environment with self-signed certificates, don’t forget to use the –DisableCertificateValidation parameter. you shouldn’t need this in production environments that have certificates from a trusted  CA


The Admin API Client Sample provides you with an easy interface to perform all the Admin actions for the Windows Azure Pack. As mentioned above, you can download the API Client from the Windows Azure Pack: Service Management API Samples page. The following example will use a method found as a part of the API Client solution. Apart from using the API Client, you can also make a raw Http call directly to the API layer using the reference at How to Create a Windows Azure Pack Tenant User.

Use the App.Config file to specify the application settings (Alternatively, you can specify these within the main method).

   1: <appSettings>
   2:   <add key="windowsAuthEndpoint" value="https://myenvironment:30072" />
   3:   <add key="adminDomainName" value="domain" />
   4:   <add key="adminUsername" value="administrator" />
   5:   <add key="adminPassword" value="password" />
   6:   <add key="adminApiEndpoint" value="https://myenvironment:30004" />
   7: </appSettings>

Read the values from the App.Config and use the snippet below to create a user in the API layer.

Note: The TokenIssuer.GetWindowsAuthToken() method is present in the API Clients solution that can be downloaded from the Windows Azure Pack: Service Management API Samples page.

   1: string windowsAuthEndpoint = ConfigurationManager.AppSettings["windowsAuthEndpoint"];
   2: string adminDomainName = ConfigurationManager.AppSettings["adminDomainName"];
   3: string adminUsername = ConfigurationManager.AppSettings["adminUsername"];
   4: string adminPassword = ConfigurationManager.AppSettings["adminPassword"];
   5: string adminApiEndpoint = ConfigurationManager.AppSettings["adminApiEndpoint"];
   6: string username;
   7: string password;
   8: var token = TokenIssuer.GetWindowsAuthToken(windowsAuthEndpoint, adminDomainName, adminUsername, adminPassword);
   9: using (var myAdminClient = new AdminManagementClient(new Uri(adminApiEndpoint), token))
  10: {
  11:    var userInfo = new User()
  12:    {
  13:         Name = emailAddress,
  14:         Email = emailAddress,
  15:         State = UserState.Active,
  16:     };
  17:     return myAdminClient.CreateUserAsync(userInfo).Result;
  18: }

In Summary, Creation of users in WAP involves two steps:

  1. Creating users in the Authentication system – requires username, password and other information required to identify the user
  2. Creating users in the Service Management API layer – requires the username that will be provided by the Authentication system