Nefarius.AspNetCore.EntraId

Middleware and helpers for consuming Microsoft Entra ID (formerly Azure AD) authentication when running ASP.NET Core applications behind Azure App Service authentication (Easy Auth).

This library is extracted from the DIT.Schulamt.Backend.Core project and packaged in a reusable form, following the general structure and conventions of Nefarius.Utilities.AspNetCore.

Features

• Parses Easy Auth header: Decodes the X-MS-CLIENT-PRINCIPAL header and turns it into a regular .NET ClaimsPrincipal.
• Normalizes username: Extracts a friendly username from common claims like preferred_username, email, name, or nameidentifier, stripping the domain part.
• Signs in with cookies: Signs the user into ASP.NET Core cookie authentication, so the rest of your app can use HttpContext.User as usual.

How to use

Configure authentication cookies as usual:

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie();

Then wire up the middleware in your pipeline:

using Nefarius.AspNetCore.EntraId;

var app = builder.Build();

// Extract Microsoft Entra ID session info and authenticate the user
app.UseMicrosoftEntraId();

app.UseAuthentication();
app.UseAuthorization();

When the app is running behind Azure App Service authentication, the platform will inject the X-MS-CLIENT-PRINCIPAL header. This library reads that header, builds a ClaimsPrincipal, and signs the user in with cookie authentication.