How to authenticate .net core web APIs using Azure AD by using office365
I have .net core 3.1 web api application deployed to Azure App Service. I want to set the authentication for APIs using Azure Active Directory with users logging through their office 365 account.
The architecture is like - I have my office 365 account ready with me. I request for a token to Azure AD. With the JWT, I get from azure AD, I should be able to call all the API endpoints in my web api application deployed in App Service.
Can you please explain what all configuration needs to be done in azure portal and code changes in startup.cs file.
Please refer to Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform.
The Microsoft.AspNetCore.Authentication middleware uses a Startup class that's executed when the hosting process initializes. In its ConfigureServices method, the AddMicrosoftIdentityWebApi extension method provided by Microsoft.Identity.Web is called.
public void ConfigureServices(IServiceCollection services) { services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(Configuration, "AzureAd"); }You can protect a controller or controller methods using the [Authorize] attribute.
namespace webapi.Controllers { [Authorize] [ApiController] [Route("[controller]")] public class WeatherForecastController : ControllerBase
Deploying to Azure app service doesn't require more different configurations. Just modify the real API endpoint while calling it.
You can see more details from Scenario: Protected web API.
If you want to call the API from a web app, you could refer to Scenario: A web app that calls web APIs.
Remember that you need to register two Azure AD apps, one is for client app (front) and the other is for API app (backend). In the API app, you need to expose API. Then you need to configure the client app. Add the permission (scope) which is exposed by API app to the client app. These are all mentioned in the links above.
UPDATE:
I assume that you have created the two Azure AD apps on Azure portal and have configured the permissions between them. (if you haven't, please refer to Register the service app (TodoListAPI) and Register the client app (TodoListSPA))
Then you could test your API in Postman like this:
In the second screenshot:
Auth URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Client id and client secret are from the Azure AD app which represents the client app (TodoListSPA).
Scope is the app id uri which is exposed by the Azure AD app which represents the service app (TodoListAPI).
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs