Skip to content

Instantly share code, notes, and snippets.

@HarshaSuranjith

HarshaSuranjith/azure-ad-multi-tenant-api-config.md

Last active September 24, 2023 05:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HarshaSuranjith/ff5cc33f191db86b42d3e5d5949b5d5e to your computer and use it in GitHub Desktop.
Save HarshaSuranjith/ff5cc33f191db86b42d3e5d5949b5d5e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
azure-ad-multi-tenant-api-config.md

Azure AD Multi-Tenant Registration for .NET Core Web API (msal-dotnet-mt-api)

App Registration

  1. Navigate to Azure Portal > Azure Active Directory > App Registrations > New registration.
    • Name: msal-dotnet-mt-api
    • Supported account types: Accounts in any organizational directory.
    • Note down the Application (client) ID for later use.

API Permissions (Delegated)

  1. Add a delegated permission for User.Read from Microsoft Graph.

Expose an API

  1. Set Application ID URI: api://{clientId}
  2. Add Scopes with Consent for Admins and Users:
    • TodoList.Read: Admins and users can consent.
    • TodoList.ReadWrite: Admins and users can consent.

Manifest Updates

  1. Navigate to the Manifest blade and set accessTokenAcceptedVersion to 2.

App Roles

  1. Add App Roles:
    • TodoList.Read.All (Application)
    • TodoList.ReadWrite.All (Application)

Optional Claims

  1. Add optional claims to the token configuration:
    • idtyp: Token type.
    • acct: User's account status in tenant.

Update .NET Core API Config

  1. Open API\TodoListAPI\appsettings.json.
    • Replace the clientId placeholder with the actual Application ID.

Configure Known Client Applications

  1. Navigate to the Manifest blade of your msal-dotnet-mt-api app registration.
  2. Add the Client ID of your client application (msal-angular-mt-spa) to knownClientApplications in the manifest.
    • Example: "knownClientApplications": ["ca8dca8d-f828-4f08-82f5-325e1a1c6428"]

AzureAd config in WebApi

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "organizations",
    "ClientId": "6c9a2929-97ac-4a59-ae4e-2d383d6de57f",
    "Scopes": {
      "Read": ["TodoList.Read", "TodoList.ReadWrite"],
      "Write": ["TodoList.ReadWrite"]
    },
    "AppPermissions": {
      "Read": ["TodoList.Read.All", "TodoList.ReadWrite.All"],
      "Write": ["TodoList.ReadWrite.All"]
    }
  },
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment