Skip to main content

Azure AD

Integration Guide

Step 1: Installing the package

Install the PrimusSaaS.Identity.Validator package via NuGet:

dotnet add package PrimusSaaS.Identity.Validator

Step 2: Configuring Program.cs and Middlewares

Register the Primus Identity services and middleware in your Program.cs:

using PrimusSaaS.Identity.Validator;

var builder = WebApplication.CreateBuilder(args);

// Add Primus Identity Validator
builder.Services.AddPrimusIdentity(opts => 
    builder.Configuration.GetSection("PrimusIdentity").Bind(opts));

builder.Services.AddControllers();
builder.Services.AddAuthorization();

var app = builder.Build();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

Step 3: Configuring App Settings

Configure the Azure AD provider in your appsettings.json:

{
  "PrimusIdentity": {
    "Issuers": [
      {
        "Name": "AzureAD",
        "Type": "AzureAd",
        "Authority": "https://login.microsoftonline.com/YOUR-TENANT-ID/v2.0",
        "Issuer": "https://login.microsoftonline.com/YOUR-TENANT-ID/v2.0",
        "Audiences": [ "api://your-client-id" ]
      }
    ]
  }
}
How to get configuration values and token

1. Azure AD Setup (Portal)

  1. Register an Application:
    • In the Azure Portal, go to Microsoft Entra ID > App registrations > New registration.
    • Register your API application.
    • Tenant ID: Found on the Overview page (Directory (tenant) ID). Use this for YOUR-TENANT-ID.
  2. Expose an API:
    • Select Expose an API from the sidebar.
    • Click Set next to Application ID URI.
    • The value (e.g., api://<client-id>) is your Audiences value.
  3. Create a Client Secret:
    • Select Certificates & secrets from the sidebar.
    • Click New client secret, add a description, and click Add.
    • Copy the Value immediately.
  4. Create Service Principal (Required for Client Credentials flow):
    • Using Azure CLI:
    az ad sp create --id <YOUR_CLIENT_ID>
    • This creates the service principal that allows your app to authenticate.

2. Get Access Token

Run the following command to obtain a token using the Client Credentials flow.

curl -X POST https://login.microsoftonline.com/<YOUR_TENANT_ID>/oauth2/v2.0/token \
     -d client_id=<YOUR_CLIENT_ID> \
     -d client_secret=<YOUR_CLIENT_SECRET> \
     -d scope=api://<YOUR_CLIENT_ID>/.default \
     -d grant_type=client_credentials

Troubleshooting

Error: AADSTS7000229

"The client application is not in the list of the service principal"

Solution: Create the service principal using:

az ad sp create --id <YOUR_CLIENT_ID>

Error: AADSTS700016

"Application with identifier was not found"

Solution: Ensure you're using the correct Tenant ID and Client ID from the App Registration.

Step 4: Configuring Endpoint

Create a protected endpoint to test the authentication.

[HttpGet("azuread")]
[Authorize]
public IActionResult Get()
{
    return Ok(new { validated = true });
}

Step 5: Testing the Endpoint

To test the endpoint, use the token obtained in Step 3 with the following command:

curl -k -X GET "https://localhost:5001/azuread" \
     -H "Authorization: Bearer <ACCESS_TOKEN>"