After creating an ASP.NET MVC 5 project integrate with Organisational Accounts. There are a few Windows Azure Active Directory things configured automatically. A LocalDB is used to check issuer keys and tenants which is not necessary tho. ConfigIssuerNameRegistry is used to check those things based on web.config.

ConfigIssuerNameRegistry.cs

using System.Configuration;
using System.IdentityModel.Tokens;
using System.Linq;

namespace Rockend.Bedrock.Web.Admin.Utils.AzureAD
{
    public class ConfigIssuerNameRegistry : ValidatingIssuerNameRegistry
    {
        static readonly string[] TenantIds = ConfigurationManager.AppSettings["ida:TenentIds"].Split('|').Select(n => n.Trim()).ToArray();
        static readonly string[] IssuerKeys = ConfigurationManager.AppSettings["ida:IssuerKeys"].Split('|').Select(n => n.Trim()).ToArray();

        public static bool ContainsTenant(string tenantId)
        {
            return TenantIds.Contains(tenantId);
        }

        public static bool ContainsKey(string thumbprint)
        {
            return IssuerKeys.Contains(thumbprint);
        }

        protected override bool IsThumbprintValid(string thumbprint, string issuer)
        {
            string issuerId = issuer.TrimEnd('/').Split('/').Last();

            return ContainsTenant(issuerId)
                   && ContainsKey(thumbprint);
        }
    }
}

web.config

  <appSettings>
      ...
      <add key="ida:IssuerKeys" value="5BDD2BE7F2|63C007706C" />
      <add key="ida:TenentIds" value="16c-1e-4c-bc-21d" />
  </appSettings>