Consuming secure Azure websites using Salesforce’s Lightning Connect

Salesforce’s Lightning Connect easily integrate external oData data with Salesforce. A good step-by-step blog on how to build WCF oData Service and how to deploy to Azure is here

In this blog I am going to show you how to enable Azure AD authentication on your oData Service and how to configure oAuth settings in website.


Here are the high-level steps

  • Create an Azure Website
  • Set Website Authentication to Azure AD
  • Create a new Azure AD App for
  • Create an Auth provider in website
  • Create an External Data Source


Create Azure Website

  1. Log into
  2. Click on the + and select “Web +Mobile” | “Web App”
  3. Give a name
  4. Click create
  5. Deploy your WCF oData application
  6. No need to add any authentication within your application code (Azure will take care of authentication)



Set website authentication to Azure AD

  1. Once this website is created
  2. Click on the “All Settings”
  3. Click on the “Authentication / Authorization”
  4. Turn on “App Service Authentication”
  5. Select “Log in with Azure Active Directory”
  6. Click on the configure in Azure Active Directory
  7. You can click on “Express” and create a new Azure AD App
  8. Or select an existing Azure AD app



Create a new Auth Provider in

  1. Log into
  2. In the quick find textbox, type auth providers
  3. Click on Auth. Providers
  4. Click on New button
  5. Select “Microsoft Access Control Service” as Provider Type
  6. Entry dump values for rest of the textboxes for now
  7. Click save button
  8. Copy the Auth and callback URLs


Create a new Azure AD App for Salesforce

  1. In the Azure portal, click on Browse on the left menu and click on “Active Directory”  to goto Azure AD
  2. Click on Applications
  3. Click on the Add button at the bottom middle
  4. Select “add an application my organization is developing”
  5. Click next
  6. In the name textbox, type salesforce
  7. Select “Web application” checkbox
  8. Click next
  9. In the sign-on url and app id url, we need to enter the Salesforce Auth provider callback urls as shown below
    1. Sign-on url :
    2. App ID url :


Create key for this new Salesforce AD App

  1. Once this AD app is created
  2. Add this below Reply url from Salesforce Auth provider
  3. Click Save button
  4. In the keys section, select the one year dropdown box and hit save
  5. Copy the KEY to a notepad
  6. In the “permissions to other applications”
  7. Click on the “add application” button
  8. Search for the app we created during in step#2 (website AD app)
  9. Set the delegated permissions, check on the “access <website AD app>”
  10. Click on the save button


Update Salesforce settings

  1. In the auth provider, enter client id and secret key of the salesforce AD App (and not the website AD App)
  2. In the authorize Endpoint URL, we need to provide the resource id as shown below
  3.   Now use this updated auth provider in the external data source


Two key points are :

1. We need to create two Azure AD Apps. One for our Azure oData Website and another for The reason we need to create two accounts is, first account is for the resource and second account is for user to access that resource. We need to tell Azure AD that a resource (oData website) needs authentication, so we create the first account for oData Website. In Azure AD, we are going to list all users who can access this oData website. One of the user is, so we create a second account.  We provide this second account’s clientid/key to so that website can impersonate as second account and access our oData website.  If you configure website to use the first account’s clientid/key, Azure AD will say error “I verified that you are xyz and now you are asking permission to access yourself?”

2. In the Auth provider, we need to provide the resource id i.e. in the oAuth authorize URL i.e. we need to add the query string ?   There is a MSDN documentation bug which says resource parameter is optional