You need to install the Microsoft.AspNetCore.Authentication.MicrosoftAccount NuGet package. There are two approaches to installing the packages:
Use your favorite IDE and open up the NuGet Package Manager to search and install the packages.
Use the command line to install the package.
Entra ID Authentication for Users
Create a class called BackofficeAuthenticationExtensions.cs to configure the external login.
usingMicrosoft.AspNetCore.Authentication.MicrosoftAccount;usingMicrosoft.Extensions.DependencyInjection;namespaceMyApp{publicstaticclassBackofficeAuthenticationExtensions {publicstaticIUmbracoBuilderConfigureAuthentication(thisIUmbracoBuilder builder) {builder.AddBackOfficeExternalLogins(logins => {conststring schema =MicrosoftAccountDefaults.AuthenticationScheme;logins.AddBackOfficeLogin( backOfficeAuthenticationBuilder => {backOfficeAuthenticationBuilder.AddMicrosoftAccount( // the scheme must be set with this method to work for the back officebackOfficeAuthenticationBuilder.SchemeForBackOffice(schema) ??string.Empty, options => { //By default this is '/signin-microsoft' but it needs to be changed to thisoptions.CallbackPath="/umbraco-signin-microsoft/"; //Obtained from the ENTRA ID B2C WEB APPoptions.ClientId="{your_client_id}"; //Obtained from the ENTRA ID B2C WEB APPoptions.ClientSecret="{your_client_secret}"; //options.TokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
//options.AuthorizationEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize";
}); }); });return builder; } }}
Ensure to replace {your_client_id} and {your_client_secret} in the code with the values from the Entra ID tenant. If Entra ID is configured to use accounts in the organizational directory only (single tenant), you also have to specify the Token and AuthorizationEndpoint.
Update ConfigureServices method in the Startup.cs file:
Create a class called MemberAuthenticationExtensions.cs to configure the external login.
usingMicrosoft.Extensions.DependencyInjection;namespaceMyApp{publicstaticclassMemberAuthenticationExtensions {publicstaticIUmbracoBuilderConfigureAuthenticationMembers(thisIUmbracoBuilder builder) {builder.Services.ConfigureOptions<EntraIDB2CMembersExternalLoginProviderOptions>();builder.AddMemberExternalLogins(logins => {logins.AddMemberLogin( membersAuthenticationBuilder => {membersAuthenticationBuilder.AddMicrosoftAccount( // The scheme must be set with this method to work for members membersAuthenticationBuilder.SchemeForMembers(EntraIDB2CMembersExternalLoginProviderOptions.SchemeName),
options => { //Callbackpath - Important! The CallbackPath represents the URL to which the browser should be redirected to and the default value is
// /signin-oidc This should be unique!.options.CallbackPath="/umbraco-b2c-members-signin"; //Obtained from the ENTRA ID B2C WEB APPoptions.ClientId="YOURCLIENTID"; //Obtained from the ENTRA ID B2C WEB APPoptions.ClientSecret="YOURCLIENTSECRET"; options.SaveTokens=true; }); }); });return builder; } }}
Ensure to replace **{your_client_id}** and **{your_client_secret}** in the code with the values from the Entra ID tenant.
To enable a member to link their account to an external login provider such as Entra ID in the Umbraco Backoffice, you have to implement a custom named configuration MemberExternalLoginProviderOptions for Members. Add the following code in the EntraIDB2CMembersExternalLoginProviderOptions.cs file:
usingMicrosoft.Extensions.Options;usingUmbraco.Cms.Core;usingUmbraco.Cms.Web.Common.Security;namespaceMyApp{ public class EntraIDB2CMembersExternalLoginProviderOptions : IConfigureNamedOptions<MemberExternalLoginProviderOptions>
{publicconst string SchemeName = "EntraIDB2C";public void Configure(string name, MemberExternalLoginProviderOptions options) { if (name != "Umbraco." + SchemeName) { return; }Configure(options); }publicvoidConfigure(MemberExternalLoginProviderOptions options) {options.AutoLinkOptions=newMemberExternalSignInAutoLinkOptions( // must be true for auto-linking to be enabled autoLinkExternalAccount:true, // Optionally specify the default culture to create // the user as. If null it will use the default // culture defined in the web.config, or it can // be dynamically assigned in the OnAutoLinking // callback. defaultCulture:null, // Optionally specify the default "IsApprove" status. Must be true for auto-linking. defaultIsApproved:true, // Optionally specify the member type alias. Default is "Member" defaultMemberTypeAlias:"Member" ) { // Optional callback OnAutoLinking = (autoLinkUser, loginInfo) => { // You can customize the user before it's linked. // i.e. Modify the user's groups based on the Claims returned // in the externalLogin info }, OnExternalLogin = (user, loginInfo) => { // You can customize the user before it's saved whenever they have // logged in with the external provider. // i.e. Sync the user's name based on the Claims returned // in the externalLogin inforeturntrue; //returns a boolean indicating if sign-in should continue or not. } }; } }}
Next, update ConfigureServices method in the Startup.cs file:
