Hi All,
In this simple post I would like to explain how I went about securing a C# Web API using Microsoft Entra ID or formerly known as Azure AD. I am going to assume that you know your way around Entra ID and have the permissions to create App Registrations, even better if you have you own testing/sandbox to play in.
Lets Get Started.
Creating the App Registration.
in order to have you web API work with Entra ID, you first need to create an App Registration. Login to Entra ID and on the left hand sidebar select “App Registrations”:
Then click on the “New Registration” in the top navbar.
then fill out the form: you will need to provide a name for the app registration. This can be anything meaningful to you and or your organisation. leave the rest of the settings as they are as shown in the below image.
The Click the Blue “Register” button at the bottom of the above image.
App Registration Overview Page.
After you have clicked on the Register button you will be presented with the app overview page.
Expose an API
Now we need to expose the Web API. to do this on the side bar click on “Expose an API“.
from this screen we need to click on the “Add” button next to where it says “Application ID URI”.
Leave the default generated GUID and then click the Blue Save button.
Adding Scope
next we need to add a scope, we will not be using scopes in this web API example. But at least one scope needs to be present even if it’s not used. I’ve named the scope as “Items.Read” and it’s state is disabled. Click the “Add Scope” button.
Configuring Secrets
Next we need to Create a secret, this is so that we can use PostMan to test the protected API and get an Outh2.0 Token.
and then click on the Add Button.
Next make sure to copy the auto generated secret value!! and store it somewhere safe as you will need it, Since it will only be shown once and you will need to able to review it again.
Configure Authentication
next we need to configure the authentication so that PostMan can get an Access Token. Select the Web platform.
Then paste in the PostMan Callback URI: “https://oauth.pstmn.io/v1/callback”
Then click on “Configure Button”
App Roles
Now we need to configure the App Roles. Then Click the “Apply” button to add the role.
Assigning Users to the Role
Now you need to go back to the Entra ID welcome screen and select “Enterprise Applications” from the left hand sidebar. Then locate the App Registration that you created in the above steps.
then select “Users and groups“.
The add a user or group. you will notice that after adding a user or group you will see the “Admin” role that we created in the above steps.
After you have clicked the Apply button, we are now ready to move onto the PostMan section.
Configuring PostMan
I am going to assuming that you know PostMan.
You will need to create a new collection and add request to that collection.
The Values that you need can all be gathered from the App Registrations page for the API.
C# Code
you now need to configure the C# code. I have used Visual Studio to create a simple web api template using minimal api endpoints based on the Microsoft weatherforcast api.
you will also need to add the Nuget package “Microsoft.Identity.Web”
in Program.cs you will need to add the following code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
using Microsoft.Identity.Web; var builder = WebApplication.CreateBuilder(args); builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration, "AzureAd"); builder.Services.AddAuthorization(options => { options.AddPolicy("admin", policy => policy.RequireRole("admin")); }); var app = builder.Build(); app.UseAuthentication(); app.Run(); |
to secure an endpoint you will need to do
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
app.MapGet("/weatherforecast", () => { var forecast = Enumerable.Range(1, 5).Select(index => new WeatherForecast ( DateOnly.FromDateTime(DateTime.Now.AddDays(index)), Random.Shared.Next(-20, 55), summaries[Random.Shared.Next(summaries.Length)] )) .ToArray(); return forecast; }) .RequireAuthorization("admin") .WithName("GetWeatherForecast") .WithOpenApi(); |
It’s as simple as that!
if you run into an issues with this please let me know and I may be able to help you out.
More Info
https://learn.microsoft.com/en-us/entra/identity-platform/scenario-protected-web-api-overview