Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Need help authenticating a ASP.NET Core Web API method for use as a custom authentication extension in Microsoft External Extra ID
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 57.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIW%3C/text%3E%3C/svg%3E)
Isaac Weston
0
Reputation points
My organization is trying to setup custom authentication extensions in a Microsoft Entra External ID tenant's sign-in/sign-up user flow. We currently have an ASP.NET Core Web API setup with the methods we would like the extensions to call. However, we are having issues setting up authentication. The documentation we have been following on Microsoft Learn uses Azure Functions for the API methods, which does not align with our current setup, so we are trying to use Microsoft Identity to authenticate, but the connector throws an ambiguous error whenever we try to secure and authenticate the API methods.
First, here is how we have configured Microsoft Identity in our ASP.NET Core Web API, with the Microsoft.Identity.Web NuGet package installed:
appsettings.[environment].js
"AzureAd": {
"Instance": "https://[Entra External ID Directory Domain].ciamlogin.com/",
"TenantId": "[Tenant ID]",
"ClientId": "[Client ID]",
"ClientSecret": "[Secret]"// Used for Microsoft Graph authentication
"Audience": "api://[API host URI]/[Tenant ID]",
"Scopes": {
"Read": [ "access_as_user" ],
"Write": [ "access_as_user" ]
},
"AppPermissions": {
"Read": [ "Identity.Access" ],
"Write": [ "Identity.Access" ]
}
},
Program.cs
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
// ...
try
{
var builder = WebApplication.CreateBuilder(args);
// ..
// Add authentication
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
// Add authorization
builder.Services.AddAuthorization();
// ...
var app = builder.Build();
// ...
app.UseAuthentication();
app.UseAuthorization();
app.Run();
}
finally
{
// ...
}
API Controller
using Microsoft.AspNetCore.Authorization;
// ...
[HttpPost]
[Authorize]
[Route("[Route]", Name = "[Name]")]
public async Task<IActionResult> GetClaimsAsync([FromBody] TokenIssuanceStartRequest request)
{
// ...
}
Microsoft Entra External ID configuration:
Is there anything we're missing? Is there any documentation or guides that can help us with this scenario?
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Sign in to answer