Azure AD Web API Authentication (Concepts)

---

🎯 Objective

Understand how Azure AD authentication works between a UI application and a backend Web API.

---

🧠 Core Architecture

A typical web system has two logical applications:

Component	Role
Frontend (UI App)	React / Angular / Web UI
Backend (API App)	ASP.NET Core Web API

Important concept:

• Users never call APIs directly

• Users interact with the UI

• UI calls APIs on behalf of the user

---

🔐 Authentication Flow

1. User opens the website.

2. Website redirects the user to Microsoft Entra ID (Azure AD) login.

3. User enters credentials.

4. Azure AD authenticates the user.

5. Azure AD returns a token to the UI app.

6. UI sends that token when calling the API.

7. API validates the token before responding.

---

🏢 Tenant Concept

A Tenant represents an organization.

Example:

Tenant
 ├── Users
 │   ├── Neil
 │   └── Steve
 │
 └── Applications
     ├── UI App
     └── Backend API

Key points:

• Users exist at tenant level

• Applications also exist inside tenant

---

🧾 App Registrations

Two app registrations are required.

App	Purpose
UI App	Frontend application
Backend App	Web API

---

📡 Exposing APIs

Backend App → Expose an API

This allows other apps to call it.

Example scope:

scope.any

---

✅ Conditions for API Call

For a successful API call:

1️⃣ User must be authenticated

2️⃣ UI App must have permission to call API

---

Creating ASP.NET Core Web API with Azure AD

🎯 Objective

Create a Web API project with Azure AD authentication enabled.

---

🛠 Creating the Project

In Microsoft Visual Studio:

1. Create New Project

2. Select ASP.NET Core Web API

3. Project name:

DemoApiAuthenticationUsingAzureAD

1. Uncheck HTTPS (for demo)

2. Authentication Type:

Microsoft Identity Platform

This automatically configures Azure AD support.

---

📂 Important Files

Controller

[Authorize]
public class WeatherForecastController : ControllerBase
{
}

Meaning:

• All endpoints require authentication.

---

Program.cs

builder.Services
    .AddAuthentication()
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

This configures Azure AD authentication.

---

appsettings.json

"AzureAd": {
  "TenantId": "",
  "ClientId": "",
  "Scopes": ""
}

These values come from Azure Portal.

---

⚠️ First Run Result

API returns:

401 Unauthorized

Because Azure AD is not configured yet.

---

🔧 Temporary Fix

Disable authentication for testing:

[AllowAnonymous]

Now API works.

---

Testing in Postman

Endpoint example:

GET /weather/getWeatherData

Result:

200 OK

---

Implementing Azure AD Authentication

🎯 Objective

Configure Azure AD authentication for Web API.

---

Step 1 — Backend App Registration

In Microsoft Azure Portal

Navigate:

Microsoft Entra ID
 → App Registrations
 → New Registration

Create:

My Backend App

---

Expose API

Open:

Expose an API

Add:

Application ID URI

Example:

api://backend-api-id

---

Create Scope

Example:

scope.any

Purpose:

Defines permission to access API.

---

Step 2 — Frontend App Registration

Create another app:

My UI App

Platform:

Single Page Application

Add Redirect URI (Postman / frontend).

---

Add API Permissions

Navigate:

API Permissions
 → Add Permission
 → My APIs

Select:

My Backend App

Add permission:

scope.any

---

Enable Tokens

Under Authentication enable:

Access Tokens
ID Tokens

---

Step 3 — Configure Web API

In appsettings.json

"AzureAd": {
 "TenantId": "your-tenant-id",
 "ClientId": "backend-app-client-id",
 "Scopes": "scope.any"
}

Important:

Use Backend App ClientId, not UI app.

---

Service to Service Authentication (S2S)

🎯 Objective

Allow one service to call another service securely.

Example:

HRApp → FinanceApp API

---

Backend API

FinanceApp

Example endpoint:

/financeapp/getbunetprofit

Controller:

[Authorize]
[Route("financeapp/getbunetprofit")]
public string GetProfit()
{
 return "Net profit of BU is 1.4 million";
}

---

App Roles for S2S Authentication

Create App Role

In FinanceApp:

App roles
 → Create role

Example:

appro.read

Allowed member type:

Application

Meaning:

Only apps, not users.

---

HRApp Permissions

In HRApp:

API Permissions
 → Add Permission
 → FinanceApp
 → appro.read

Grant Admin Consent.

---

Protect API with Role

Controller:

[Authorize(Roles="appro.read")]

Only apps with this role can access.

---

Generating JWT Token (Client Credentials)

🎯 Objective

Generate JWT token for service-to-service API calls.

---

Required Fields

Field	Description
Client ID	HRApp client ID
Client Secret	HRApp secret
Resource	FinanceApp API
Grant Type	client_credentials

---

Flow

HRApp → Azure AD → JWT Token → FinanceApp API

Steps:

1. HRApp requests token.

2. Azure AD validates credentials.

3. Azure AD issues JWT token.

4. HRApp sends token to FinanceApp API.

---

Calling API from Postman

Step 1 — Verify API Requires Token

Request:

GET /financeapp/getbunetprofit

Response:

401 Unauthorized

---

Step 2 — Configure OAuth2

In Postman

Authorization type:

OAuth 2.0

Grant Type:

Client Credentials

Required values:

Field	Value
Token URL	Azure AD token endpoint
Client ID	HRApp
Client Secret	HRApp secret
Resource	FinanceApp API

---

Step 3 — Call API

Add token as:

Authorization: Bearer <token>

Response:

200 OK

---

Understanding Tenant and App Registration

What is a Tenant

A tenant represents an organization in Azure.

Example:

Tenant: ABC Technologies

Inside tenant:

Users
Applications
Permissions
Policies

---

Users in Tenant

Examples:

neil.david@abcd.com
mark.phillips@abcd.com

You can also add guest users.

---

App Registration Purpose

App registration allows applications to interact with Azure AD.

Example use cases:

• Authentication

• Access APIs

• Read tenant users

---

Important Credentials

App registration generates:

Client ID
Client Secret

These are used by applications to authenticate with Azure AD.

---