🎯 Objective

Understand how Azure AD authentication works between a UI application and a backend Web API.

🧠 Core Architecture

A typical web system has two logical applications:

Important concept:

• Users never call APIs directly

• Users interact with the UI

• UI calls APIs on behalf of the user

🔐 Authentication Flow

1. User opens the website.

2. Website redirects the user to Microsoft Entra ID (Azure AD) login.

3. User enters credentials.

4. Azure AD authenticates the user.

5. Azure AD returns a token to the UI app.

6. UI sends that token when calling the API.

7. API validates the token before responding.

🏢 Tenant Concept

A Tenant represents an organization.

Example:

Tenant
 ├── Users
 │   ├── Neil
 │   └── Steve
 │
 └── Applications
     ├── UI App
     └── Backend API

Key points:

• Users exist at tenant level

• Applications also exist inside tenant

🧾 App Registrations

Two app registrations are required.

📡 Exposing APIs

Backend App → Expose an API

This allows other apps to call it.

Example scope:

scope.any

✅ Conditions for API Call

For a successful API call:

1️⃣ User must be authenticated

2️⃣ UI App must have permission to call API

Creating ASP.NET Core Web API with Azure AD

🎯 Objective

Create a Web API project with Azure AD authentication enabled.

🛠 Creating the Project

In Microsoft Visual Studio:

1. Create New Project

2. Select ASP.NET Core Web API

3. Project name:

DemoApiAuthenticationUsingAzureAD

1. Uncheck HTTPS (for demo)

2. Authentication Type:

Microsoft Identity Platform

This automatically configures Azure AD support.

📂 Important Files

Controller

[Authorize]
public class WeatherForecastController : ControllerBase
{
}

Meaning:

• All endpoints require authentication.

Program.cs

builder.Services
    .AddAuthentication()
    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));

This configures Azure AD authentication.

appsettings.json

"AzureAd": {
  "TenantId": "",
  "ClientId": "",
  "Scopes": ""
}

These values come from Azure Portal.

⚠️ First Run Result

API returns:

401 Unauthorized

Because Azure AD is not configured yet.

🔧 Temporary Fix

Disable authentication for testing:

[AllowAnonymous]

Now API works.

Testing in Postman

Endpoint example:

GET /weather/getWeatherData

Result:

200 OK

Implementing Azure AD Authentication

🎯 Objective

Configure Azure AD authentication for Web API.

Step 1 — Backend App Registration

In Microsoft Azure Portal

Navigate:

Microsoft Entra ID
 → App Registrations
 → New Registration

Create:

My Backend App

Expose API

Open:

Expose an API

Add:

Application ID URI

Example:

api://backend-api-id

Create Scope

Example:

scope.any

Purpose:

Defines permission to access API.

Step 2 — Frontend App Registration

Create another app:

My UI App

Platform:

Single Page Application

Add Redirect URI (Postman / frontend).

Add API Permissions

Navigate:

API Permissions
 → Add Permission
 → My APIs

Select:

My Backend App

Add permission:

scope.any

Enable Tokens

Under Authentication enable:

Access Tokens
ID Tokens

Step 3 — Configure Web API

In appsettings.json

"AzureAd": {
 "TenantId": "your-tenant-id",
 "ClientId": "backend-app-client-id",
 "Scopes": "scope.any"
}

Important:

Use Backend App ClientId, not UI app.

Service to Service Authentication (S2S)

🎯 Objective

Allow one service to call another service securely.

Example:

HRApp → FinanceApp API

Backend API

FinanceApp

Example endpoint:

/financeapp/getbunetprofit

Controller:

[Authorize]
[Route("financeapp/getbunetprofit")]
public string GetProfit()
{
 return "Net profit of BU is 1.4 million";
}

App Roles for S2S Authentication

Create App Role

In FinanceApp:

App roles
 → Create role

Example:

appro.read

Allowed member type:

Application

Meaning:

Only apps, not users.

HRApp Permissions

In HRApp:

API Permissions
 → Add Permission
 → FinanceApp
 → appro.read

Grant Admin Consent.

Protect API with Role

Controller:

[Authorize(Roles="appro.read")]

Only apps with this role can access.

Generating JWT Token (Client Credentials)

🎯 Objective

Generate JWT token for service-to-service API calls.

Required Fields

Flow

HRApp → Azure AD → JWT Token → FinanceApp API

Steps:

1. HRApp requests token.

2. Azure AD validates credentials.

3. Azure AD issues JWT token.

4. HRApp sends token to FinanceApp API.

Calling API from Postman

Step 1 — Verify API Requires Token

Request:

GET /financeapp/getbunetprofit

Response:

401 Unauthorized

Step 2 — Configure OAuth2

In Postman

Authorization type:

OAuth 2.0

Grant Type:

Client Credentials

Required values:

Step 3 — Call API

Add token as:

Authorization: Bearer <token>

Response:

200 OK

Understanding Tenant and App Registration

What is a Tenant

A tenant represents an organization in Azure.

Example:

Tenant: ABC Technologies

Inside tenant:

Users
Applications
Permissions
Policies

Users in Tenant

Examples:

neil.david@abcd.com
mark.phillips@abcd.com

You can also add guest users.

App Registration Purpose

App registration allows applications to interact with Azure AD.

Example use cases:

• Authentication

• Access APIs

• Read tenant users

Important Credentials

App registration generates:

Client ID
Client Secret

These are used by applications to authenticate with Azure AD.