This documentation is archived and is not being maintained.

Access Control Service 2.0

Updated: April 14, 2015

Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) is a cloud-based service that provides an easy way of authenticating and authorizing users to gain access to your web applications and services while allowing the features of authentication and authorization to be factored out of your code. Instead of implementing an authentication system with user accounts that are specific to your application, you can let ACS orchestrate the authentication and much of the authorization of your users. ACS integrates with standards-based identity providers, including enterprise directories such as Active Directory, and web identities such as Windows Live ID (Microsoft account), Google, Yahoo!, and Facebook.

ACS namespaces can migrate their Google identity provider configurations from OpenID 2.0 to OpenID Connect. Migration must be completed before June 1, 2015. For detailed guidance, see Migrating ACS Namespaces to Google OpenID Connect.

  • Go to the Microsoft Azure Management Portal (, sign in, and then click Active Directory. (Troubleshooting tip: "Active Directory" item is missing or not available) The portal includes the production release of ACS and a service license agreement.

  • To create an Access Control namespace, click New, click App Services, click Access Control, and then click Quick Create. (Or, click Access Control Namespaces before clicking New.)

  • To manage an Access Control namespace, select the namespace, and then click Manage. (Or, click Access Control Namespaces, select the namespace, and then click Manage.)

  • Try using ACS. To use ACS in your web application, following the steps in How to: Create My First Claims-Aware ASP.NET Application Using ACS. For a list of ACS requirements, see ACS Prerequisites.

  • Watch this Channel 9 video ( It explains how ACS manages identity and access control for applications running on the Windows platform.

  • Download the latest Code Samples ( and run them. First, try each sample using the ACS management portal option. Then, examine the automation opportunities available from the ACS Management Service. The code samples show you how to integrate ACS with web services and ASP.NET web sites (Web Forms and MVC). For a list of ACS code samples, see ACS Code Samples Index.

ACS is compatible with most popular programming and runtime environments, and supports many protocols including Open Authorization (OAuth), OpenID, WS-Federation, and WS-Trust. ACS is compatible with virtually any modern web platform, including .NET, PHP, Python, Java, and Ruby.

The following are the key features of ACS:

  • Integration with Windows Identity Foundation (WIF)

  • Out-of-the-box support for popular web identity providers including Windows Live ID (Microsoft account), Google, Yahoo, and Facebook

  • Out-of-the-box support for

  • Support for OAuth 2.0 (draft 13), WS-Trust, and WS-Federation protocols

  • Support for the JSON Web Token (JWT), SAML 1.1, SAML 2.0, and Simple Web Token (SWT) token formats

  • Integrated and customizable Home Realm Discovery that allows users to choose their identity provider

  • An Open Data Protocol (OData)-based management service that provides programmatic access to the ACS configuration

  • A browser-based management portal that allows administrative access to the ACS configuration

Access Control Service 1.0 is no longer supported. All users should be using ACS 2.0.

You can use the following resources to learn more about ACS: