Quickstart: Call an ASP.NET web API that is protected by the Microsoft identity platform
The following quickstart uses, uses a code sample that demonstrates how to protect an ASP.NET web API by restricting access to its resources to authorized accounts only. The sample supports authorization of accounts in any Microsoft Entra organization.
The article also uses a Windows Presentation Foundation (WPF) app to demonstrate how to request an access token to access a web API.
Prerequisites
- An Azure account with an active subscription. Create an account.
- Visual Studio 2022. Download Visual Studio for free.
Clone or download the sample
The code sample can be obtained in two ways:
Clone it from your shell or command line:
git clone https://github.com/AzureADQuickStarts/AppModelv2-NativeClient-DotNet.git
Tip
To avoid errors caused by path length limitations in Windows, we recommend extracting the archive or cloning the repository into a directory near the root of your drive.
Register the web API (TodoListService)
Tip
Steps in this article might vary slightly based on the portal you start from.
Register your web API in App registrations in the Azure portal.
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
If you have access to multiple tenants, use the Settings icon in the top menu to switch to the tenant in which you want to register the application from the Directories + subscriptions menu.
Browse to Identity > Applications > App registrations and select New registration.
Enter a Name for your application, for example
AppModelv2-NativeClient-DotNet-TodoListService
. Users of your app might see this name, and you can change it later.For Supported account types, select Accounts in any organizational directory.
Select Register to create the application.
On the app Overview page, look for the Application (client) ID value, and then record it for later use. You'll need it to configure the Visual Studio configuration file for this project (that is,
ClientId
in the TodoListService\appsettings.json file).Under Manage, select Expose an API > Add a scope. Accept the proposed Application ID URI (
api://{clientId}
) by selecting Save and continue, and then enter the following information:- For Scope name, enter
access_as_user
. - For Who can consent, ensure that the Admins and users option is selected.
- In the Admin consent display name box, enter
Access TodoListService as a user
. - In the Admin consent description box, enter
Accesses the TodoListService web API as a user
. - In the User consent display name box, enter
Access TodoListService as a user
. - In the User consent description box, enter
Accesses the TodoListService web API as a user
. - For State, keep Enabled.
- For Scope name, enter
Select Add scope.
Configure the service project
Configure the service project to match the registered web API.
Open the solution in Visual Studio, and then open the appsettings.json file under the root of the TodoListService project.
Replace the value of the
Enter_the_Application_Id_here
by the Client ID (Application ID) value from the application you registered in the App registrations portal both in theClientID
and theAudience
properties.
Add the new scope to the app.config file
To add the new scope to the TodoListClient app.config file, follow these steps:
In the TodoListClient project root folder, open the app.config file.
Paste the Application ID from the application that you registered for your TodoListService project in the
TodoListServiceScope
parameter, replacing the{Enter the Application ID of your TodoListService from the app registration portal}
string.
Note
Make sure that the Application ID uses the following format: api://{TodoListService-Application-ID}/access_as_user
(where {TodoListService-Application-ID}
is the GUID representing the Application ID for your TodoListService app).
Register the web app (TodoListClient)
Register your TodoListClient app in App registrations in the Azure portal, and then configure the code in the TodoListClient project. If the client and server are considered the same application, you can reuse the application that's registered in step 2.
Register the app
To register the TodoListClient app, follow these steps:
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Identity > Applications > App registrations and select New registration.
Select New registration.
When the Register an application page opens, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app (for example, NativeClient-DotNet-TodoListClient).
- For Supported account types, select Accounts in any organizational directory.
- Select Register to create the application.
Note
In the TodoListClient project app.config file, the default value of
ida:Tenant
is set tocommon
. The possible values are:organizations
: You can sign in by using a work or school account.
On the app Overview page, select Authentication, and then complete these steps to add a platform:
- Under Platform configurations, select the Add a platform button.
- For Mobile and desktop applications, select Mobile and desktop applications.
- For Redirect URIs, select the
https://login.partner.microsoftonline.cn/common/oauth2/nativeclient
check box. - Select Configure.
Select API permissions, and then complete these steps to add permissions:
- Select the Add a permission button.
- Select the My APIs tab.
- In the list of APIs, select AppModelv2-NativeClient-DotNet-TodoListService API or the name you entered for the web API.
- Select the access_as_user permission check box if it's not already selected. Use the Search box if necessary.
- Select the Add permissions button.
Configure your project
Configure your TodoListClient project by adding the Application ID to the app.config file.
In the App registrations portal, on the Overview page, copy the value of the Application (client) ID.
From the TodoListClient project root folder, open the app.config file, and then paste the Application ID value in the
ida:ClientId
parameter.
Run your projects
Start both projects. For Visual Studio users;
Right click on the Visual Studio solution and select Properties
In the Common Properties select Startup Project and then Multiple startup projects.
For both projects choose Start as the action
Ensure the TodoListService service starts first by moving it to the first position in the list, using the up arrow.
Sign in to run your TodoListClient project.
Press F5 to start the projects. The service page opens, as well as the desktop application.
In the TodoListClient, at the upper right, select Sign in, and then sign in with the same credentials you used to register your application, or sign in as a user in the same directory.
If you're signing in for the first time, you might be prompted to consent to the TodoListService web API.
To help you access the TodoListService web API and manipulate the To-Do list, the sign-in also requests an access token to the access_as_user scope.
Pre-authorize your client application
You can allow users from other directories to access your web API by pre-authorizing the client application to access your web API. You do this by adding the Application ID from the client app to the list of pre-authorized applications for your web API. By adding a pre-authorized client, you're allowing users to access your web API without having to provide consent.
- In the App registrations portal, open the properties of your TodoListService app.
- In the Expose an API section, under Authorized client applications, select Add a client application.
- In the Client ID box, paste the Application ID of the TodoListClient app.
- In the Authorized scopes section, select the scope for the
api://<Application ID>/access_as_user
web API. - Select Add application.
Run your project
- Press F5 to run your project. Your TodoListClient app opens.
- At the upper right, select Sign in, and then sign in by using a work or school account.
Optional: Limit sign-in access to certain users
By default, any work or school accounts from organizations that are integrated with Microsoft Entra ID can request tokens and access your web API.
To specify who can sign in to your application, by changing the TenantId
property in the appsettings.json file.
Help and support
If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.
Next steps
Learn more by building a protected ASP.NET Core web api in the following tutorial series: