Tutorial: Prepare an application for authentication

After registration is complete, an ASP.NET web application can be created using an integrated development environment (IDE). This tutorial demonstrates how to create an ASP.NET Core Web App using an IDE. You'll also create and upload a self-signed certificate to the Azure portal and configure the application for authentication.

In this tutorial:

  • Create an ASP.NET Core Web App
  • Create a self-signed certificate
  • Configure the settings for the application
  • Define platform settings and URLs


Create an ASP.NET Core project

Use the following tabs to create an ASP.NET Core project within an IDE.

  1. Open Visual Studio, and then select Create a new project.
  2. Search for and choose the ASP.NET Core Web App template, and then select Next.
  3. Enter a name for the project, such as NewWebAppLocal.
  4. Choose a location for the project or accept the default option, and then select Next.
  5. Accept the default for the Framework, Authentication type, and Configure for HTTPS. Authentication type can be set to none as this tutorial will cover this process.
  6. Select Create.

Create and upload a self-signed certificate

The use of certificates is a suggested way of securing communication between client and server. For the purpose of this tutorial, a self-signed certificate will be created in the project directory. Learn more about self-signed certificates here.

  1. Select Tools > Command Line > Developer Command Prompt.

  2. Enter the following command to create a new self-signed certificate:

    dotnet dev-certs https -ep ./certificate.crt --trust

Upload certificate to the portal

To make the certificate available to the application, it must be uploaded into the tenant.

  1. Starting from the Overview page of the app created earlier, under Manage, select Certificates & secrets and select the Certificates (0) tab.

  2. Select Upload certificate.

    Screenshot of uploading a certificate into a Microsoft Entra tenant.

  3. Select the folder icon, then browse for and select the certificate that was previously created.

  4. Enter a description for the certificate and select Add.

  5. Record the Thumbprint value, which will be used in the next step.

    Screenshot showing copying the certificate thumbprint.

Configure the application for authentication and API reference

The values recorded earlier will be used in appsettings.json to configure the application for authentication. appsettings.json is a configuration file that is used to store application settings used during run-time. As the application will also call into a web API, it must also contain a reference to it.

  1. In your IDE, open appsettings.json and replace the file contents with the following snippet:

      "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "TenantId": "Enter the tenant ID obtained from the Azure portal",
        "ClientId": "Enter the client ID obtained from the Azure portal",
        "ClientCertificates": [
            "SourceType": "StoreWithThumbprint",
            "CertificateStorePath": "CurrentUser/My",
            "CertificateThumbprint": "Enter the certificate thumbprint obtained from the Azure portal"
        "CallbackPath": "/signin-oidc"
      "DownstreamApi": {
        "BaseUrl": "https://graph.microsoft.com/v1.0/me",
        "Scopes": "user.read"
      "Logging": {
        "LogLevel": {
          "Default": "Information",
          "Microsoft.AspNetCore": "Warning"
      "AllowedHosts": "*"
    • Instance - The authentication endpoint. Check with the different available endpoints in National clouds.
    • TenantId - The identifier of the tenant where the application is registered. Replace the text in quotes with the Directory (tenant) ID value that was recorded earlier from the overview page of the registered application.
    • ClientId - The identifier of the application, also referred to as the client. Replace the text in quotes with the Application (client) ID value that was recorded earlier from the overview page of the registered application.
    • ClientCertificates - A self-signed certificate is used for authentication in the application. Replace the text of the CertificateThumbprint with the thumbprint of the certificate that was previously recorded.
    • CallbackPath - Is an identifier to help the server redirect a response to the appropriate application.
    • DownstreamApi - Is an identifier that defines an endpoint for accessing Microsoft Graph. The application URI is combined with the specified scope. To define the configuration for an application owned by the organization, the value of the Scopes attribute is slightly different.
  2. Save changes to the file.

  3. In the Properties folder, open the launchSettings.json file.

  4. Find and record the https value applicationURI within launchSettings.json, for example https://localhost:{port}. This URL will be used when defining the Redirect URI.

Define the platform and URLs

  1. In the Azure portal, under Manage, select App registrations, and then select the application that was previously created.

  2. In the left menu, under Manage, select Authentication.

  3. In Platform configurations, select Add a platform, and then select Web.

    Screenshot on how to select the platform for the application.

  4. Under Redirect URIs, enter the applicationURL and the CallbackPath, /signin-oidc, in the form of https://localhost:{port}/signin-oidc.

  5. Under Front-channel logout URL, enter the following URL for signing out, https://localhost:{port}/signout-oidc.

  6. Select Configure.

Next steps