Share via


MicrosoftIdentityApplicationOptions Class

Definition

Options for configuring authentication for a web app, web API, or daemon application, using Azure Active Directory. It has both AAD and B2C configuration attributes.

public class MicrosoftIdentityApplicationOptions : Microsoft.Identity.Abstractions.IdentityApplicationOptions
type MicrosoftIdentityApplicationOptions = class
    inherit IdentityApplicationOptions
Public Class MicrosoftIdentityApplicationOptions
Inherits IdentityApplicationOptions
Inheritance
MicrosoftIdentityApplicationOptions

Constructors

MicrosoftIdentityApplicationOptions()

Properties

AllowWebApiToBeAuthorizedByACL

Web APIs called on behalf of a user can validate a token based on scopes (representing delegated permissions). Web APIs called by daemon applications can validate a token based on roles (representing app permissions). By default, the web API will validate the presence of roles and scopes. You can set this property to false to use the ACL-based authorization pattern for the client (daemon) to the web API. If using ACL-based authorization, the implementation will not throw if roles or scopes are not in the Claims. For details see https://aka.ms/ms-identity-web/daemon-ACL.

(Inherited from IdentityApplicationOptions)
AppHomeTenantId

Home tenant of the app in which the app can acquire a token to call a downstream API on behalf of itself.

Audience

In a web API, audience of the tokens that will be accepted by the web API.

If your web API accepts several audiences, see Audiences.

(Inherited from IdentityApplicationOptions)
Audiences

In a web API, accepted audiences for the tokens received by the web API.

See also Audience.

The audience is the intended recipient of the token. You can usually assume that the ApplicationID of your web API is a valid audience. It can, in general be any of the App ID URIs (or resource identitfier) you defined for your application during its registration in the Azure portal. (Inherited from IdentityApplicationOptions)
Authority

Gets or sets the Authority to use when making OpenIdConnect calls. By default the authority is computed from the Instance and TenantId properties, by concatenating them, and appending "v2.0". If your authority is not an Azure AD authority, you can set it directly here.

AzureRegion

Specifies the Azure region. See https://aka.ms/azure-region. To have the app attempt to detect the Azure region automatically, use "TryAutoDetect".

ClientCapabilities

Specifies the capabilities of the client (for instance {"cp1", "cp2"}). This is useful to express that the Client is capable of handling claims challenge. If your application is CAE capable, it needs to express "cp1".

ClientCredentials

Description of the client credentials that the app provides to prove its identity to the IdP, See CredentialSource for the list of supported credential types.

(Inherited from IdentityApplicationOptions)
ClientId

Gets or sets the 'client_id' (application ID) as it appears in the application registration. This is the string representation of a GUID.

(Inherited from IdentityApplicationOptions)
DefaultUserFlow

Gets the default user flow (which is signUpsignIn).

Domain

Gets or sets the domain of the Azure Active Directory tenant, e.g. contoso.onmicrosoft.com.

EditProfilePolicyId

Gets or sets the edit profile user flow name for B2C, e.g. b2c_1_edit_profile.

EnablePiiLogging

Flag used to enable/disable logging of Personally Identifiable Information (PII). PII logs are never written to default outputs. Default is set to false, which ensures that your application is compliant with GDPR. You can set it to true for advanced debugging requiring PII.

(Inherited from IdentityApplicationOptions)
ErrorPath

Sets the Error route path. Defaults to the value /MicrosoftIdentity/Account/Error, which is the value used by Microsoft.Identity.Web.UI.

ExtraQueryParameters

Sets query parameters for the query string in the HTTP request to the IdP. This parameter is useful if you want to send the request to a specific test slice, or a particular dc.

(Inherited from IdentityApplicationOptions)
Instance

Gets or sets the Azure Active Directory instance, e.g. "https://login.microsoftonline.com/".

ResetPasswordPath

Sets the ResetPassword route path (from the root of the web site). Defaults to /MicrosoftIdentity/Account/ResetPassword, which is the value used by Microsoft.Identity.Web.UI. If you override it, you need to provide your own controller/actions.

ResetPasswordPolicyId

Gets or sets the reset password user flow name for B2C, e.g. B2C_1_password_reset.

SendX5C

Specifies if the x5c claim (public key of the certificate) should be sent to the STS. Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD: this method will send the public certificate to Azure AD along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy. This saves the application admin from the need to explicitly manage the certificate rollover (either via the app registration portal or using PowerShell/CLI). For details see https://aka.ms/msal-net-sni.

SignUpSignInPolicyId

Gets or sets the sign up or sign in user flow name for B2C, e.g. b2c_1_susi.

TenantId

Gets or sets the tenant ID. If your application is multi-tenant, you can also use "common" if it supports both work and school, or personal accounts accounts, or "organizations" if your application supports only work and school accounts. If your application is single tenant, set this property to the tenant ID or domain name. If your application works only for Microsoft personal accounts, use "consumers".

TokenDecryptionCredentials

Description of the credentials (usually certificates) used to decrypt an encrypted token in a web API.

(Inherited from IdentityApplicationOptions)
WithSpaAuthCode

If set to true, when the user signs-in in a web app, the application requests an auth code for the frontend (single page application using MSAL.js for instance). This will allow the front end JavaScript code to bypass going to the authoriize endpoint (which requires reloading the page), by directly redeeming the auth code to get access tokens to call APIs. See https://aka.ms/msal-net/hybrid-spa-sample for details. Only works for AAD, not B2C.

Applies to