azure-ad-multi-tenant-api-config.md

Azure AD Multi-Tenant Registration for .NET Core Web API (msal-dotnet-mt-api)

App Registration

1. Navigate to Azure Portal > Azure Active Directory > App Registrations > New registration.
   • Name: msal-dotnet-mt-api
   • Supported account types: Accounts in any organizational directory.
   • Note down the Application (client) ID for later use.

API Permissions (Delegated)

1. Add a delegated permission for User.Read from Microsoft Graph.

Expose an API

1. Set Application ID URI: api://{clientId}
2. Add Scopes with Consent for Admins and Users:
   • TodoList.Read: Admins and users can consent.
   • TodoList.ReadWrite: Admins and users can consent.

Manifest Updates

1. Navigate to the Manifest blade and set accessTokenAcceptedVersion to 2.

App Roles

1. Add App Roles:
   • TodoList.Read.All (Application)
   • TodoList.ReadWrite.All (Application)

Optional Claims

1. Add optional claims to the token configuration:
   • idtyp: Token type.
   • acct: User's account status in tenant.

Update .NET Core API Config

1. Open API\TodoListAPI\appsettings.json.
   • Replace the clientId placeholder with the actual Application ID.

Configure Known Client Applications

1. Navigate to the Manifest blade of your msal-dotnet-mt-api app registration.
2. Add the Client ID of your client application (msal-angular-mt-spa) to knownClientApplications in the manifest.
   • Example: "knownClientApplications": ["ca8dca8d-f828-4f08-82f5-325e1a1c6428"]

AzureAd config in WebApi

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "organizations",
    "ClientId": "6c9a2929-97ac-4a59-ae4e-2d383d6de57f",
    "Scopes": {
      "Read": ["TodoList.Read", "TodoList.ReadWrite"],
      "Write": ["TodoList.ReadWrite"]
    },
    "AppPermissions": {
      "Read": ["TodoList.Read.All", "TodoList.ReadWrite.All"],
      "Write": ["TodoList.ReadWrite.All"]
    }
  },