Intro

Using Azure Active Directory for authentication is super simple in .NET Core 3.1. There’s a couple of things that need to be just right, and then it “just works.” This guide assumes that you’re already familiar with ASP.NET Core 3.1 and how those projects are structured. GitHub repo for this guide is here: https://github.com/cooperaustinj/azure-auth-demo

Set up Azure Active Directory in the Azure Portal

First, create a new directory:





Next, you can set up a test user under the Users section. Once you’re happy with that, go to App registrations





When creating the new app registration, make sure to add a Redirect URI of http://localhost:5000/signin-oidc .





Under Overview in the app, note down your Client ID and Tenant ID. Then, go to Authentication and check the two boxes under Implicit Grant. You can also add a logout URL if you’re using HTTPS:

Integrate Azure Active Directory with ASP.NET Core 3.1

I’m using a new blank project created from dotnet new web . The following steps should work for an existing project as well.

First we need to add a package for Azure AD, so run:

dotnet add package Microsoft.AspNetCore.Authentication.AzureAD.UI .

Next, add the following to Startup.cs to register Azure Active Directory as an authentication provider and register controllers. Take careful note of the comments specifying the order we need to make calls on the application builder.

// Startup.cs public void ConfigureServices(IServiceCollection services) { var config = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("appsettings.json", false) .Build(); services.AddAuthentication(AzureADDefaults.AuthenticationScheme) .AddAzureAD(options => config.Bind("AzureAd", options)); services.AddControllers(); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseRouting(); // UseRouting must come before UseAuthentication app.UseAuthentication(); // UseAuthentication must come before UseAuthorization app.UseAuthorization(); app.UseEndpoints(endpoints => // UseEndpoints must come after UseAuthentication and UseAuthorization { endpoints.MapControllers(); }); }

We need to give our application the Tenant ID and Client ID from our app registration, so add the following to your appsettings.json (careful not to check this into source control with your IDs):

"AzureAd": { "Instance": "https://login.microsoftonline.com", "Domain": "demo283814.onmicrosoft.com", "TenantId": "<tenant id>", "ClientId": "<client id>", "CallbackPath": "/signin-oidc" }

Wrapping up

That’s it! You can now put [Authorize] attributes on your controllers and/or actions to require the user be logged in to visit them. You can even use Security Groups to only allow certain users access to endpoints, but that’s outside the scope of this guide. Here’s an example of a controller using the [Authorize] attribute. If the user tries to go to /secret without being logged in, they will be redirected to a Microsoft login screen. After logging in, they’ll be redirected to the secret page.