Tutorial: Create a Blazor Server app that uses the Microsoft identity platform for authentication

In this tutorial, you build a Blazor Server app that signs in users and gets data from Microsoft Graph by using the Microsoft identity platform and registering your app in Microsoft Entra ID.

We also have a tutorial for Blazor WASM.

In this tutorial:

  • Create a new Blazor Server app configured to use Microsoft Entra ID for authentication for users in a single organization (in the Microsoft Entra tenant the app is registered)
  • Handle both authentication and authorization using Microsoft.Identity.Web
  • Retrieve data from a protected web API, Microsoft Graph


Create the app using the .NET CLI

mkdir <new-project-folder>
cd <new-project-folder>
dotnet new blazorserver --auth SingleOrg --calls-graph

Install the Microsoft Identity App Sync .NET Tool

dotnet tool install --global msidentity-app-sync

This tool will automate the following tasks for you:

  • Register your application in Microsoft Entra ID
    • Create a secret for your registered application
    • Register redirect URIs based on your launchsettings.json
  • Initialize the use of user secrets in your project
  • Store your application secret in user secrets storage
  • Update your appsettings.json with the client-id, tenant-id, and others.

.NET Tools extend the capabilities of the dotnet CLI command. To learn more about .NET Tools, see .NET Tools.

For more information on user secrets storage, see safe storage of app secrets during development.

Use the Microsoft Identity App Sync Tool

Run the following command to register your app in your tenant and update the .NET configuration of your application. Provide the username/upn belonging to your Azure Account (for instance, username@domain.com) and the tenant ID or domain name of the Microsoft Entra ID associated with your Azure Account. If you use an account that is signed in in either Visual Studio, Azure CLI, or Azure PowerShell, you'll benefit from single sign-on (SSO).

msidentity-app-sync --username <username/upn> --tenant-id <tenantID>


  • You don't need to provide the username if you are signed in with only one account in the developer tools.
  • You don't need to provide the tenant-id if the tenant in which you want to create the application is your home tenant.

Optional - Create a development SSL certificate

In order to avoid SSL errors/warnings when browsing the running application, you can use the following on macOS and Windows to generate a self-signed SSL certificate for use by .NET Core.

dotnet dev-certs https --trust

Run the app

In your terminal, run the following command:

dotnet run

Browse to the running web application using the URL outputted by the command line.

Next steps

Learn about calling building web apps that sign in users in our multi-part scenario series: