Need help authenticating a ASP.NET Core Web API method for use as a custom authentication extension in Microsoft External Extra ID

Question

Need help authenticating a ASP.NET Core Web API method for use as a custom authentication extension in Microsoft External Extra ID

Isaac Weston 0

My organization is trying to setup custom authentication extensions in a Microsoft Entra External ID tenant's sign-in/sign-up user flow. We currently have an ASP.NET Core Web API setup with the methods we would like the extensions to call. However, we are having issues setting up authentication. The documentation we have been following on Microsoft Learn uses Azure Functions for the API methods, which does not align with our current setup, so we are trying to use Microsoft Identity to authenticate, but the connector throws an ambiguous error whenever we try to secure and authenticate the API methods.

First, here is how we have configured Microsoft Identity in our ASP.NET Core Web API, with the Microsoft.Identity.Web NuGet package installed:

appsettings.[environment].js

"AzureAd": {
  "Instance": "https://[Entra External ID Directory Domain].ciamlogin.com/",
  "TenantId": "[Tenant ID]",
  "ClientId": "[Client ID]",
  "ClientSecret": "[Secret]"// Used for Microsoft Graph authentication
  "Audience": "api://[API host URI]/[Tenant ID]",
  "Scopes": {
    "Read": [ "access_as_user" ],
    "Write": [ "access_as_user" ]
  },
  "AppPermissions": {
    "Read": [ "Identity.Access" ],
    "Write": [ "Identity.Access" ]
  }
},

Program.cs

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
// ...

try
{
    var builder = WebApplication.CreateBuilder(args);
    // ..
    // Add authentication
    builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
    // Add authorization
    builder.Services.AddAuthorization();
    // ...
    var app = builder.Build();
    // ...
    app.UseAuthentication();
    app.UseAuthorization();
    app.Run();
}
finally
{
    // ...
}

API Controller

using Microsoft.AspNetCore.Authorization;
// ...

[HttpPost]
[Authorize]
[Route("[Route]", Name = "[Name]")]
public async Task<IActionResult> GetClaimsAsync([FromBody] TokenIssuanceStartRequest request)
{
	// ...
}

Microsoft Entra External ID configuration:

Screenshot 2026-03-03 144657

Screenshot 2026-03-03 144920

Screenshot 2026-03-03 145242

Screenshot 2026-03-03 152127

Is there anything we're missing? Is there any documentation or guides that can help us with this scenario?

Sina Salam 29,596 Reputation points Volunteer Moderator

2026-03-14T12:38:05.95+00:00
Hello Isaac Weston

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are in need of help for authenticating a ASP.NET Core Web API method for use as a custom authentication extension in Microsoft External Extra ID.

Most of all, regarding the information provided. The problem is not ASP.NET Core vs Azure Functions.

The real issue is incorrect permission model (delegated instead of application).

The correct architecture flow should be like:

Entra External ID -> | Access token | - > ASP.NET Core API -> | Validate JWT | - > Return claims response.

The steps to fix the flow are the following:

Register API in Entra. Configure:
Expose an API
Add Application Role
CustomAuthenticationExtension.Receive.Payload
Allowed member types: Applications

Grant permission to the Custom Authentication Extension app registration. Admin consent required.

Correct your appsettings.json
"AzureAd": {

Then, configure authentication in Program.cs
builder.Services
This is correct style.

Add authorization policy to restrict to correct role:
builder.Services.AddAuthorization(options =>

The protect your EndPoint.
[Authorize(Policy = "CustomExtensionPolicy")] [HttpPost] public IActionResult GetClaims([FromBody] TokenIssuanceStartRequest request)

Then return correct response as in the example:
return Ok(new

Test manually and try to acquire token: POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token Then call API with: Authorization: Bearer <token>

This step is recommended by Microsoft troubleshooting guide: https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-troubleshoot

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
VEMULA SRISAI 13,135 Reputation points Microsoft External Staff Moderator

2026-03-17T08:08:22.5366667+00:00
Hello Isaac Weston,

The Azure Functions examples in the documentation are only a hosting reference. A custom authentication extension can call any public HTTPS REST API, including an ASP.NET Core Web API.

The key point to be aware of is how the API is authenticated.

Custom authentication extensions call the REST API using OAuth 2.0 client credentials (app‑only). This means:

The inbound token does not represent a user

The token contains application permissions (roles), not delegated scopes (scp)

Because of this, if the API is secured expecting delegated permissions such as access_as_user, the call will fail and the connector may surface a generic or ambiguous error.

To work correctly:

The API app registration must expose an Application permission (App Role) with Allowed member types = Applications

The connector (client) app must be granted that Application permission and admin consent must be completed

The API must validate:

The correct audience (Application ID URI)

App roles (roles claim), not delegated scopes

In ASP.NET Core, this typically means authorizing using app roles, for example:

[Authorize(Roles = "Identity.Access")] (or RequiredScopeOrAppPermission if supporting both models)

Once the API is configured to trust app‑only tokens with application permissions, it works the same way as the Azure Functions implementation.

Custom authentication extensions overview (External ID) – confirms the pattern: Entra calls your REST API endpoint as part of the user flow

https://learn.microsoft.com/en-us/entra/external-id/customers/concept-custom-extensions

https://learn.microsoft.com/en-us/entra/identity-platform/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow
VEMULA SRISAI 13,135 Reputation points Microsoft External Staff Moderator

2026-03-20T15:13:48.4733333+00:00

Isaac Weston I’m following up on my previous response to see if it helped. Please feel free to reach out if you need any further assistance.I’m happy to help

1 answer

Your answer

Sina Salam 29,596 Reputation points Volunteer Moderator

2026-03-14T12:38:05.95+00:00

Hello Isaac Weston

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are in need of help for authenticating a ASP.NET Core Web API method for use as a custom authentication extension in Microsoft External Extra ID.

Most of all, regarding the information provided. The problem is not ASP.NET Core vs Azure Functions.

The real issue is incorrect permission model (delegated instead of application).

The correct architecture flow should be like:

Entra External ID -> | Access token | - > ASP.NET Core API -> | Validate JWT | - > Return claims response.

The steps to fix the flow are the following:

Register API in Entra. Configure:
Expose an API
Add Application Role
CustomAuthenticationExtension.Receive.Payload
Allowed member types: Applications

Grant permission to the Custom Authentication Extension app registration. Admin consent required.

Correct your appsettings.json
"AzureAd": {

Then, configure authentication in Program.cs
builder.Services
This is correct style.

Add authorization policy to restrict to correct role:
builder.Services.AddAuthorization(options =>

The protect your EndPoint.
[Authorize(Policy = "CustomExtensionPolicy")] [HttpPost] public IActionResult GetClaims([FromBody] TokenIssuanceStartRequest request)

Then return correct response as in the example:
return Ok(new

Test manually and try to acquire token: POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token Then call API with: Authorization: Bearer <token>

This step is recommended by Microsoft troubleshooting guide: https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-troubleshoot

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
VEMULA SRISAI 13,135 Reputation points Microsoft External Staff Moderator

2026-03-17T08:08:22.5366667+00:00

Hello Isaac Weston,

The Azure Functions examples in the documentation are only a hosting reference. A custom authentication extension can call any public HTTPS REST API, including an ASP.NET Core Web API.

The key point to be aware of is how the API is authenticated.

Custom authentication extensions call the REST API using OAuth 2.0 client credentials (app‑only). This means:

The inbound token does not represent a user

The token contains application permissions (roles), not delegated scopes (scp)

Because of this, if the API is secured expecting delegated permissions such as access_as_user, the call will fail and the connector may surface a generic or ambiguous error.

To work correctly:

The API app registration must expose an Application permission (App Role) with Allowed member types = Applications

The connector (client) app must be granted that Application permission and admin consent must be completed

The API must validate:

The correct audience (Application ID URI)

App roles (roles claim), not delegated scopes

In ASP.NET Core, this typically means authorizing using app roles, for example:

[Authorize(Roles = "Identity.Access")] (or RequiredScopeOrAppPermission if supporting both models)

Once the API is configured to trust app‑only tokens with application permissions, it works the same way as the Azure Functions implementation.

Custom authentication extensions overview (External ID) – confirms the pattern: Entra calls your REST API endpoint as part of the user flow

https://learn.microsoft.com/en-us/entra/external-id/customers/concept-custom-extensions

https://learn.microsoft.com/en-us/entra/identity-platform/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow
VEMULA SRISAI 13,135 Reputation points Microsoft External Staff Moderator

2026-03-20T15:13:48.4733333+00:00

Isaac Weston I’m following up on my previous response to see if it helped. Please feel free to reach out if you need any further assistance.I’m happy to help

Answer 1

Hello @Isaac Weston,

Hey Isaac, it turns out nothing magic was hiding in the Azure-Functions examples – you can absolutely host your custom auth extension in an ASP NET Core Web API. The catch is that Entra External ID calls your API using the OAuth2 client-credentials (app-only) flow, so:

• the inbound token has NO user (“scp”) scopes

• it HAS application permissions (in the “roles” claim)

You had defined only delegated scopes (“access_as_user”) in your API registration, and you’re validating for scp. The connector grabs an app‐only token, so there is no scp claim and your [Authorize] check fails with a generic auth error.

Here’s what you need to do:

Expose an Application Permission (App Role) on your API registration – In Azure Portal > App registrations > your API > “App roles” > “+ Create app role” – Allowed member types = “Applications” – Give it a value, e.g. Identity.Access
Grant that App Role to your custom-extension application – In your extension’s App registration > “API permissions” > “+ Add a permission” > “My APIs” > select your API > choose the new “Identity.Access” application permission – Click “Grant admin consent”

Update your ASP NET Core code to validate roles instead of scopes In Program.cs something like:


   builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

     .AddMicrosoftIdentityWebApi(options => {

        builder.Configuration.Bind("AzureAd", options);

        // tell the middleware to look for "roles" (app perms) not "scp"

        options.TokenValidationParameters.RoleClaimType = "roles";  

     });

   builder.Services.AddAuthorization(opts => {

     opts.AddPolicy("AppOnly", policy => 

       policy.RequireRole("Identity.Access"));

   });

   app.UseAuthentication();

   app.UseAuthorization();

   [ApiController]

   [Route("...")]

   public class MyController : ControllerBase {

     [HttpPost, Authorize(Policy="AppOnly")]

     public IActionResult GetClaims([FromBody] TokenIssuanceStartRequest req) { … }

   }

Call it exactly the way Entra External ID will: POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token • grant_type=client_credentials • client_id={your-extension-app-id} • client_secret={secret} • scope=api://{your-api-app-id-uri}/.default Then pass that token in Authorization: Bearer {the-access-token}

At that point your API will validate the JWT’s audience (your API’s App ID URI), issuer (your *.ciamlogin.com tenant), and the roles claim (“Identity.Access”) and return 200.

Hope that gets you unblocked!

Reference docs for more details:

• Custom Auth Extensions overview:

https://learn.microsoft.com/entra/external-id/customers/concept-custom-extensions

• Protect Web APIs with app-roles (no scp):

https://learn.microsoft.com/entra/identity-platform/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore

• OAuth2 client credentials grant flow:

https://learn.microsoft.com/entra/identity-platform/v2-oauth2-client-creds-grant-flow

• Troubleshooting custom extensions:

https://learn.microsoft.com/entra/identity-platform/custom-extension-troubleshoot

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Share via

Need help authenticating a ASP.NET Core Web API method for use as a custom authentication extension in Microsoft External Extra ID

1 answer

Your answer