Add External ID config to Entra samples

10.0/BlazorWebAppEntra/BlazorWebAppEntra/Program.cs

@@ -23,6 +23,7 @@
     .AddInteractiveWebAssemblyComponents()
     .AddAuthenticationStateSerialization(options => options.SerializeAllClaims = true);
 
+// Configure authentication to use Microsoft Entra ID
 builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddMicrosoftIdentityWebApp(msIdentityOptions =>
     {
@@ -41,6 +42,30 @@
     })
     .AddDistributedTokenCaches();
 
+// Configure authentication to use Microsoft Entra External ID
+//
+// Instead of the preceding configuration for Microsoft Entra ID, use the
+// following configuration for Microsoft Entra External ID. Comment out or
+// remove the preceding 'AddAuthentication' configuration if you activate 
+// the following code.
+/*
+builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+    .AddMicrosoftIdentityWebApp(msIdentityOptions =>
+    {
+        msIdentityOptions.CallbackPath = "/signin-oidc";
+        msIdentityOptions.Authority = "https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0";
+        msIdentityOptions.ClientId = "{CLIENT ID (BLAZOR APP)}";
+        msIdentityOptions.ResponseType = "code";
+    })
+    .EnableTokenAcquisitionToCallDownstreamApi()
+    .AddDownstreamApi("DownstreamApi", configOptions =>
+    {
+        configOptions.BaseUrl = "{BASE URL}";
+        configOptions.Scopes = ["{APP ID URI}/Weather.Get"];
+    })
+    .AddDistributedTokenCaches();
+*/
+
 builder.Services.AddDistributedMemoryCache();
 
 builder.Services.Configure<MsalDistributedTokenCacheAdapterOptions>(

10.0/BlazorWebAppEntra/MinimalApiJwt/Program.cs

@@ -10,16 +10,18 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
         // The following should match just the path of the Application ID URI configured when adding the "Weather.Get" scope
         // under "Expose an API" in the Azure or Entra portal. {CLIENT ID} is the application (client) ID of this 
         // app's registration in the Azure portal.
         // 
-        // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)
+        // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

10.0/BlazorWebAppEntraBff/BlazorWebAppEntra/Program.cs

@@ -13,10 +13,11 @@
 
 var builder = WebApplication.CreateBuilder(args);
 
+// Add services to the container.
 // Add service defaults & Aspire components.
 builder.AddServiceDefaults();
 
-// Add services to the container.
+// Configure authentication to use Microsoft Entra ID
 builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddMicrosoftIdentityWebApp(msIdentityOptions =>
     {
@@ -35,6 +36,30 @@
     })
     .AddDistributedTokenCaches();
 
+// Configure authentication to use Microsoft Entra External ID
+//
+// Instead of the preceding configuration for Microsoft Entra ID, use the
+// following configuration for Microsoft Entra External ID. Comment out or
+// remove the preceding 'AddAuthentication' configuration if you activate 
+// the following code.
+/*
+builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+    .AddMicrosoftIdentityWebApp(msIdentityOptions =>
+    {
+        msIdentityOptions.CallbackPath = "/signin-oidc";
+        msIdentityOptions.Authority = "https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0";
+        msIdentityOptions.ClientId = "{CLIENT ID (BLAZOR APP)}";
+        msIdentityOptions.ResponseType = "code";
+    })
+    .EnableTokenAcquisitionToCallDownstreamApi()
+    .AddDownstreamApi("DownstreamApi", configOptions =>
+    {
+        configOptions.BaseUrl = "{BASE URL}";
+        configOptions.Scopes = ["{APP ID URI}/Weather.Get"];
+    })
+    .AddDistributedTokenCaches();
+*/
+
 builder.Services.AddDistributedMemoryCache();
 
 builder.Services.Configure<MsalDistributedTokenCacheAdapterOptions>(

10.0/BlazorWebAppEntraBff/MinimalApiJwt/Program.cs

@@ -8,10 +8,11 @@
     {
         // {TENANT ID} in the following examples is the directory (tenant) ID.
         //
-        // Authority format '{AUTHORITY}' matches the issurer (`iss`) of the JWT returned by the identity provider.
+        // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format '{AUTHORITY}' for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format '{AUTHORITY}' for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
 
@@ -20,8 +21,9 @@
         // under "Expose an API" in the Azure or Entra portal. {CLIENT ID} is the application (client) ID of this 
         // app's registration in the Azure portal.
         // 
-        // Audience format '{AUDIENCE}' for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
-        // Audience format '{AUDIENCE}' for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";
     });

10.0/BlazorWebAppOidc/MinimalApiJwt/Program.cs

@@ -7,8 +7,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -17,6 +18,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

8.0/BlazorWebAppOidc/MinimalApiJwt/Program.cs

@@ -7,8 +7,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -17,6 +18,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

8.0/BlazorWebAppOidcBff/MinimalApiJwt/Program.cs

@@ -10,8 +10,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -20,6 +21,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

8.0/BlazorWebAppOidcServer/MinimalApiJwt/Program.cs

@@ -7,8 +7,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -17,6 +18,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

9.0/BlazorWebAppEntra/MinimalApiJwt/Program.cs

@@ -7,8 +7,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -17,6 +18,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

9.0/BlazorWebAppEntraBff/MinimalApiJwt/Program.cs

@@ -8,19 +8,21 @@
     {
         // {TENANT ID} in the following examples is the directory (tenant) ID.
         //
-        // Authority format '{AUTHORITY}' matches the issurer (`iss`) of the JWT returned by the identity provider.
+        // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format '{AUTHORITY}' for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format '{AUTHORITY}' for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
         // The following should match just the path of the Application ID URI configured when adding the "Weather.Get" scope
         // under "Expose an API" in the Azure or Entra portal. {CLIENT ID} is the application (client) ID of this 
         // app's registration in the Azure portal.
         // 
-        // Audience format '{AUDIENCE}' for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
-        // Audience format '{AUDIENCE}' for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";
     });

9.0/BlazorWebAppOidc/MinimalApiJwt/Program.cs

@@ -7,8 +7,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -17,6 +18,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

9.0/BlazorWebAppOidcBff/MinimalApiJwt/Program.cs

@@ -10,8 +10,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -20,6 +21,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";

9.0/BlazorWebAppOidcServer/MinimalApiJwt/Program.cs

@@ -7,8 +7,9 @@
         //
         // Authority format {AUTHORITY} matches the issurer (`iss`) of the JWT returned by the identity provider.
         //
-        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}/
-        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0/
+        // Authority format {AUTHORITY} for ME-ID tenant type: https://sts.windows.net/{TENANT ID}
+        // Authority format {AUTHORITY} for ME External ID tenant type: https://{DIRECTORY NAME}.ciamlogin.com/{TENANT ID}/v2.0
+        // Authority format {AUTHORITY} for B2C tenant type: https://login.microsoftonline.com/{TENANT ID}/v2.0
         //
         jwtOptions.Authority = "{AUTHORITY}";
         //
@@ -17,6 +18,7 @@
         // app's registration in the Azure portal.
         // 
         // Audience format {AUDIENCE} for ME-ID tenant type: api://{CLIENT ID (WEB API APP)}
+        // Audience format {AUDIENCE} for ME External ID tenant type: {CLIENT ID (WEB API APP)}
         // Audience format {AUDIENCE} for B2C tenant type: https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID (WEB API APP)}
         //
         jwtOptions.Audience = "{AUDIENCE}";