Microsoft Account external login: Move Portal steps to links (#34669)

wadepickett · Rick-Anderson · web-flow · commit 6d8e5f626a72 · 2025-03-03T17:51:11.000-08:00
* Microsoft Account external login: Move Portal steps to links * Link update * Corrected link * Improved for Acrolinx issues * Updated Portal references to Entra admin center * Update tenant portion of Wades PR (#34862) * Update date format in Microsoft logins doc * Clarify secrets and values * Update aspnetcore/security/authentication/social/microsoft-logins.md Add review suggestion, remove v6.0 mention. Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> * Update aspnetcore/security/authentication/social/microsoft-logins.md Formatted ms.date value * Update ProgramMS.cs remove unneeded vars * Added snippet tag for ProgramMS.cs --------- Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
diff --git a/aspnetcore/security/authentication/social/microsoft-logins.md b/aspnetcore/security/authentication/social/microsoft-logins.md
@@ -4,7 +4,7 @@ author: rick-anderson
 description: This sample demonstrates the integration of Microsoft account user authentication into an existing ASP.NET Core app.
 ms.author: riande
 ms.custom: mvc
-ms.date: 12/08/2021
+ms.date: 03/01/2025
 monikerRange: '>= aspnetcore-3.1'
 uid: security/authentication/microsoft-logins
 ---
@@ -14,39 +14,23 @@ By [Valeriy Novytskyy](https://github.com/01binary) and [Rick Anderson](https://
 
 :::moniker range=">= aspnetcore-6.0"
 
-This sample shows you how to enable users to sign in with their work, school, or personal Microsoft account using the ASP.NET Core 6.0 project created on the [previous page](xref:security/authentication/social/index).
+This sample shows how to enable users to sign in with their work, school, or personal Microsoft account using the ASP.NET Core  project created on the [previous page](xref:security/authentication/social/index).
 
-## Create the app in Microsoft Developer Portal
+## Create the app in the Microsoft Entra admin center
 
 * Add the [Microsoft.AspNetCore.Authentication.MicrosoftAccount](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.MicrosoftAccount/) NuGet package to the project.
-* Navigate to the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page and create or sign into a Microsoft account:
+* Register the application in the Microsoft Entra admin center by following the steps in [Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app?tabs=client-secret)
 
-If you don't have a Microsoft account, select **Create one**. After signing in, you are redirected to the **App registrations** page:
+### Create a client secret
 
-* Select **New registration**
-* Enter a **Name**.
-* Select an option for **Supported account types**.  <!-- Accounts for any org work with MS domain accounts. Most folks probably want the last option, personal MS accounts. It took 24 hours after setting this up for the keys to work -->
-  * The `MicrosoftAccount` package supports App Registrations created using "Accounts in any organizational directory" or "Accounts in any organizational directory and Microsoft accounts" options by default.
-  * To use other options, set `AuthorizationEndpoint` and `TokenEndpoint` members of `MicrosoftAccountOptions` used to initialize the Microsoft Account authentication to the URLs displayed on **Endpoints** page of the App Registration after it is created (available by clicking Endpoints on the **Overview** page).
-* Under **Redirect URI**, enter your development URL with `/signin-microsoft` appended. For example, `https://localhost:5001/signin-microsoft`. The Microsoft authentication scheme configured later in this sample will automatically handle requests at `/signin-microsoft` route to implement the OAuth flow.
-* Select **Register**
-
-### Create client secret
-
-* In the left pane, select **Certificates & secrets**.
-* Under **Client secrets**, select **New client secret**
-  * Add a description for the client secret.
-  * Select the **Add** button.
-* Under **Client secrets**, copy the value of the client secret.
-
-The URI segment `/signin-microsoft` is set as the default callback of the Microsoft authentication provider. You can change the default callback URI while configuring the Microsoft authentication middleware via the inherited <xref:Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptions.CallbackPath%2A?displayProperty=nameWithType> property of the <xref:Microsoft.AspNetCore.Authentication.MicrosoftAccount.MicrosoftAccountOptions> class.
+Generate a client secret in the Microsoft Entra admin center by following the steps in [Register an application with the Microsoft identity platform: Add Credentials](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials).
 
 ## Store the Microsoft client ID and secret
 
-Store sensitive settings such as the Microsoft **Application (client) ID** found on the **Overview** page of the App Registration and **Client Secret** you created on the **Certificates & secrets page** with [Secret Manager](xref:security/app-secrets). For this sample, use the following steps:
+Store sensitive settings such as the Microsoft **Application (client) ID** and **Client Secret** created in the previous step with [Secret Manager](xref:security/app-secrets). For this sample, use the following steps:
 
 1. Initialize the project for secret storage per the instructions at [Enable secret storage](xref:security/app-secrets#enable-secret-storage).
-1. Store the sensitive settings in the local secret store with the secret keys `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret`:
+1. Store the sensitive settings in the local secret store with the secret keys `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret`. The `<client-id>` is listed on the Azure App registrations blade under **Application (client) ID**. The `<client-secret>` is on listed under **Certificates & secrets** as the **Value**, not the **Secret ID**. 
 
     ```dotnetcli
     dotnet user-secrets set "Authentication:Microsoft:ClientId" "<client-id>"
@@ -59,7 +43,7 @@ Store sensitive settings such as the Microsoft **Application (client) ID** found
 
 Add the Authentication service to the `Program`:
 
-[!code-csharp[](~/security/authentication/social/social-code/6.x/ProgramMS.cs)]
+:::code language="csharp" source="~/security/authentication/social/social-code/6.x/ProgramMS.cs" id="snippet_AddServices":::
 
 [!INCLUDE [default settings configuration](includes/default-settings.md)]
 
@@ -68,65 +52,49 @@ For more information about configuration options supported by Microsoft Account
 ## Sign in with Microsoft Account
 
 * Run the app and select **Log in**. An option to sign in with Microsoft appears.
-* Select to sign in with Microsoft. You are redirected to Microsoft for authentication. After signing in with your Microsoft Account, you will be prompted to let the app access your info:
-* Select **Yes**. You are redirected back to the web site where you can set your email.
+* Select to sign in with Microsoft to navigate to Microsoft for authentication. After signing in with your Microsoft Account, you'll be prompted to let the app access your info:
+* Select **Yes** to navigate back to the web site where to set your email.
 
-You are now logged in using your Microsoft credentials.
+You're now logged in using your Microsoft credentials.
 
 [!INCLUDE[](includes/chain-auth-providers.md)]
 
 [!INCLUDE[Forward request information when behind a proxy or load balancer section](includes/forwarded-headers-middleware.md)]
 
 ## Troubleshooting
 
-* If the Microsoft Account provider redirects you to a sign in error page, note the error title and description query string parameters directly following the `#` (hashtag) in the Uri.
+* If the Microsoft Account provider redirects to a sign in error page, note the error title and description query string parameters directly following the `#` (hashtag) in the Uri.
 
   Although the error message seems to indicate a problem with Microsoft authentication, the most common cause is your application Uri not matching any of the **Redirect URIs** specified for the **Web** platform.
 
 * If Identity isn't configured by calling `services.AddIdentity` in `ConfigureServices`, attempting to authenticate will result in *ArgumentException: The 'SignInScheme' option must be provided*. The project template used in this sample ensures that this is done.
 
-* If the site database has not been created by applying the initial migration, you will get *A database operation failed while processing the request* error. Tap **Apply Migrations** to create the database and refresh to continue past the error.
+* If the site database hasn't been created by applying the initial migration, *A database operation failed while processing the request* error occurs. Tap **Apply Migrations** to create the database and refresh to continue past the error.
 
 ## Next steps
 
-* This article showed how you can authenticate with Microsoft. You can follow a similar approach to authenticate with other providers listed on the [previous page](xref:security/authentication/social/index).
-* Once you publish your web site to Azure web app, create a new client secrets in the Microsoft Developer Portal.
-* Set the `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret` as application settings in the Azure portal. The configuration system is set up to read keys from environment variables.
+* This article showed how to authenticate with Microsoft. Follow a similar approach to authenticate with other providers listed on the [previous page](xref:security/authentication/social/index).
+* Once the web site is published to Azure web app, create a new client secrets in the Microsoft Entra admin center.
+* Set the `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret` as application settings in the Microsoft Entra admin center. The configuration system is set up to read keys from environment variables.
 
 :::moniker-end
 
 :::moniker range="< aspnetcore-6.0"
 
 This sample shows you how to enable users to sign in with their work, school, or personal Microsoft account using the ASP.NET Core 3.0 project created on the [previous page](xref:security/authentication/social/index).
 
-## Create the app in Microsoft Developer Portal
+## Create the app in the Microsoft Entra admin center
 
 * Add the [Microsoft.AspNetCore.Authentication.MicrosoftAccount](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.MicrosoftAccount/) NuGet package to the project.
-* Navigate to the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page and create or sign into a Microsoft account:
-
-If you don't have a Microsoft account, select **Create one**. After signing in, you are redirected to the **App registrations** page:
-
-* Select **New registration**
-* Enter a **Name**.
-* Select an option for **Supported account types**.  <!-- Accounts for any org work with MS domain accounts. Most folks probably want the last option, personal MS accounts. It took 24 hours after setting this up for the keys to work -->
-  * The `MicrosoftAccount` package supports App Registrations created using "Accounts in any organizational directory" or "Accounts in any organizational directory and Microsoft accounts" options by default.
-  * To use other options, set `AuthorizationEndpoint` and `TokenEndpoint` members of `MicrosoftAccountOptions` used to initialize the Microsoft Account authentication to the URLs displayed on **Endpoints** page of the App Registration after it is created (available by clicking Endpoints on the **Overview** page).
-* Under **Redirect URI**, enter your development URL with `/signin-microsoft` appended. For example, `https://localhost:5001/signin-microsoft`. The Microsoft authentication scheme configured later in this sample will automatically handle requests at `/signin-microsoft` route to implement the OAuth flow.
-* Select **Register**
+* Register the application in the Microsoft Entra admin center by following the steps in [Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app?tabs=client-secret#register-an-application)
 
 ### Create client secret
 
-* In the left pane, select **Certificates & secrets**.
-* Under **Client secrets**, select **New client secret**
-  * Add a description for the client secret.
-  * Select the **Add** button.
-* Under **Client secrets**, copy the value of the client secret.
-
-The URI segment `/signin-microsoft` is set as the default callback of the Microsoft authentication provider. You can change the default callback URI while configuring the Microsoft authentication middleware via the inherited <xref:Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptions.CallbackPath%2A?displayProperty=nameWithType> property of the <xref:Microsoft.AspNetCore.Authentication.MicrosoftAccount.MicrosoftAccountOptions> class.
+Generate a client secret in the Microsoft Entra admin center by following the steps in [Register an application with the Microsoft identity platform: Add Credentials](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials).
 
 ## Store the Microsoft client ID and secret
 
-Store sensitive settings such as the Microsoft **Application (client) ID** found on the **Overview** page of the App Registration and **Client Secret** you created on the **Certificates & secrets page** with [Secret Manager](xref:security/app-secrets). For this sample, use the following steps:
+Store sensitive settings such as the Microsoft **Application (client) ID** and **Client Secret** you created in the previous step with [Secret Manager](xref:security/app-secrets). For this sample, use the following steps:
 
 1. Initialize the project for secret storage per the instructions at [Enable secret storage](xref:security/app-secrets#enable-secret-storage).
 1. Store the sensitive settings in the local secret store with the secret keys `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret`:
@@ -150,11 +118,11 @@ For more information about configuration options supported by Microsoft Account
 
 ## Sign in with Microsoft Account
 
-Run the app and select **Log in**. An option to sign in with Microsoft appears. When you select on Microsoft, you are redirected to Microsoft for authentication. After signing in with your Microsoft Account, you will be prompted to let the app access your info:
+Run the app and select **Log in**. An option to sign in with Microsoft appears. Select **Microsoft** to navigate to Microsoft for authentication. After signing in with your Microsoft Account, you'll be prompted to let the app access your info:
 
-Tap **Yes** and you will be redirected back to the web site where you can set your email.
+Tap **Yes** and you'll be redirected back to the web site where you can set your email.
 
-You are now logged in using your Microsoft credentials.
+You're now logged in using your Microsoft credentials.
 
 [!INCLUDE[](includes/chain-auth-providers.md)]
 
@@ -166,12 +134,12 @@ You are now logged in using your Microsoft credentials.
 
   Although the error message seems to indicate a problem with Microsoft authentication, the most common cause is your application Uri not matching any of the **Redirect URIs** specified for the **Web** platform.
 * If Identity isn't configured by calling `services.AddIdentity` in `ConfigureServices`, attempting to authenticate will result in *ArgumentException: The 'SignInScheme' option must be provided*. The project template used in this sample ensures that this is done.
-* If the site database has not been created by applying the initial migration, you will get *A database operation failed while processing the request* error. Tap **Apply Migrations** to create the database and refresh to continue past the error.
+* If the site database hasn't been created by applying the initial migration, you'll get *A database operation failed while processing the request* error. Tap **Apply Migrations** to create the database and refresh to continue past the error.
 
 ## Next steps
 
 * This article showed how you can authenticate with Microsoft. You can follow a similar approach to authenticate with other providers listed on the [previous page](xref:security/authentication/social/index).
-* Once you publish your web site to Azure web app, create a new client secrets in the Microsoft Developer Portal.
-* Set the `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret` as application settings in the Azure portal. The configuration system is set up to read keys from environment variables.
+* Once you publish your web site to Azure web app, create a new client secrets in the Microsoft Entra admin center.
+* Set the `Authentication:Microsoft:ClientId` and `Authentication:Microsoft:ClientSecret` as application settings in Microsoft Entra admin center. The configuration system is set up to read keys from environment variables.
 
 :::moniker-end
diff --git a/aspnetcore/security/authentication/social/social-code/6.x/ProgramMS.cs b/aspnetcore/security/authentication/social/social-code/6.x/ProgramMS.cs
@@ -1,9 +1,8 @@
 var builder = WebApplication.CreateBuilder(args);
-var services = builder.Services;
-var configuration = builder.Configuration;
-
-services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
-    {
-        microsoftOptions.ClientId = configuration["Authentication:Microsoft:ClientId"];
-        microsoftOptions.ClientSecret = configuration["Authentication:Microsoft:ClientSecret"];
-    });
+// <snippet_AddServices>
+builder.Services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
+{
+    microsoftOptions.ClientId = configuration["Authentication:Microsoft:ClientId"];
+    microsoftOptions.ClientSecret = configuration["Authentication:Microsoft:ClientSecret"];
+});
+// </snippet_AddServices>
