Authentication is one of those features many of us implement without fully understanding what's happening behind the scenes.
Most tutorials tell you to:
- Register an app
- Install a NuGet package
- Copy a few configuration values
- Run the application
It works, but why does it work?
Recently, I spent some time learning Microsoft Entra ID authentication from scratch and wanted to understand the complete flow instead of just copying code from the documentation.
Here's a simplified overview.
What is Microsoft Entra ID?
Microsoft Entra ID is Microsoft's cloud based Identity and Access Management (IAM) service.
Instead of storing usernames and passwords in your application, you delegate authentication to Microsoft.
Your application never sees the user's password.
User
│
▼
ASP.NET Core App
│
Redirect
▼
Microsoft Entra ID
│
Authenticate User
▼
Return Secure Tokens
OAuth 2.0 vs OpenID Connect
This was probably the biggest takeaway for me.
OAuth 2.0 is for authorization.
It answers:
What resources can this application access?
OpenID Connect (OIDC) is for authentication.
It answers:
Who is the authenticated user?
When using Microsoft Entra ID, you'll typically receive:
- ID Token → User identity
- Access Token → Call APIs such as Microsoft Graph
The Authentication Flow
Here's what actually happens after clicking Sign In.
User
↓
ASP.NET Core
↓
Microsoft Entra ID
↓
User signs in
↓
Authorization Code
↓
ID Token + Access Token
↓
Authentication Cookie
↓
Authenticated User
The nice part is that Microsoft.Identity.Web handles most of this for you.
App Registration
Before your application can authenticate users, it must be registered in Microsoft Entra ID.
The important values you'll need are:
- Client ID
- Tenant ID
- Redirect URI
- Client Secret (for server side applications)
These values are later used inside your appsettings.json.
ASP.NET Core Setup
Installing Microsoft Entra ID support is surprisingly simple.
dotnet add package Microsoft.Identity.Web
dotnet add package Microsoft.Identity.Web.UI
dotnet add package Microsoft.Identity.Web.DownstreamApi
Configure authentication.
builder.Services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(
builder.Configuration.GetSection("AzureAd"));
Protect your controller.
[Authorize]
public class HomeController : Controller
{
public IActionResult Index()
{
return View();
}
}
That's enough to redirect unauthenticated users to Microsoft Entra ID automatically.
Calling Microsoft Graph
Once the user signs in, your application receives an Access Token.
You can use it to call Microsoft Graph and access resources such as:
- User profile
- Calendar
- Emails
- OneDrive
- Teams
The Microsoft.Identity.Web library automatically manages token acquisition and caching, which keeps the implementation clean.
Common Issues
The most common problems I ran into while learning were:
- Redirect URI mismatch (
AADSTS50011) - Invalid Client Secret
- Missing Microsoft Graph permissions
- Choosing Single Tenant instead of Multi Tenant
Most authentication issues came down to configuration rather than code.
Final Thoughts
Microsoft Entra ID seemed intimidating when I first started learning it, but after understanding the authentication flow, everything else became much easier.
Once you understand:
- OAuth 2.0
- OpenID Connect
- ID Tokens
- Access Tokens
- Authorization Code Flow
the configuration starts making much more sense.
Want the Full Walkthrough?
This post only covers the high level concepts.
I wrote a much more detailed guide on Medium where I explain:
- Complete authentication flow
- App Registration
- ASP.NET Core (.NET 9) implementation
- Microsoft.Identity.Web
- Microsoft Graph integration
- Common authentication errors
- Working code examples
👉 Read the full article on Medium: (https://medium.com/@gaurav110dev/the-complete-microsoft-entra-id-authentication-guide-for-asp-net-core-dd7064d24ea7?sharedUserId=gaurav110dev)
Top comments (0)