我设法通过做来实现这个如下：

I managed to implement this by doing the following:

第一，加入到 Microsoft.Owin.Security.OpenIdConnect 的NuGet包的参考。

First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect Nuget package.

二，在配置它在我的 Startup.Auth.cs ：

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    ClientId = "From the Azure Portal (see below)",
    Authority = "https://login.windows.net/<domain>.onmicrosoft.com",
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        RedirectToIdentityProvider = (ctx) =>
        {
            if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
            {
                string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
                ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
                ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
            }
            else
            {
                ctx.State = NotificationResultState.Skipped;
                ctx.HandleResponse();
            }

            return Task.FromResult(0);
        }
    },
    Description = new AuthenticationDescription
    {
        AuthenticationType = "OpenIdConnect",
        Caption = "SomeNameHere"
    }
});

第三，我设置了Azure的门户网站（经典）申请：

Third, I setup the application in the Azure Portal (classic):

第四，我增加了一个单独的登录页面管理员用户：

Fourth, I added a separate logon page for admin users:

@using (Html.BeginForm("ExternalLogin", "Home"))
{
    @Html.AntiForgeryToken()
    <div class="ui basic segment">
        <div class="ui list">
            <div class="item">
                <button type="submit" name="provider" value="OpenIdConnect" class="left floated huge ui button social">
                    <i class="windows icon"></i>
                    <span>My Org Name</span>
                </button>
            </div>
        </div>
    </div>
}

第五的 ExternalLogin 操作并不需要改变 - 我们只是让OWIN中间件重定向我们到外部登录页面。然后，流程将引导用户回到 ExternalLoginCallback 操作。

Fifth, the ExternalLogin action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback action.

最后在 ExternalLoginCallback 行动，我检查传入索赔，以确定登录是通过Azure的AD，而不是调用成ASP.NET身份，我构造出我的应用程序识别为一个管理员用户自己的 ClaimsIdentity ，里面有我所有的（专用）索赔信息。

Finally, in the ExternalLoginCallback action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity, which has all my (application specific) claim information which my application recognises as an admin user.

现在，管理员用户导航到 https://example.com/admin ，点击登录按钮，会被重定向到Azure的AD登录和饱和回到了应用程序作为管理员用户。

Now, admin users navigate to https://example.com/admin, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.