MicrosoftEntraApplicationOptions Class

Web APIs called on behalf of a user can validate a token based on scopes (representing delegated permissions). Web APIs called by daemon applications can validate a token based on roles (representing app permissions). By default, the web API will validate the presence of roles and scopes. You can set this property to false to use the ACL-based authorization pattern for the client (daemon) to the web API. If using ACL-based authorization, the implementation will not throw if roles or scopes are not in the Claims. For details see https://aka.ms/ms-identity-web/daemon-ACL.

Home tenant of the app in which the app can acquire a token to call a downstream API on behalf of itself.

In a web API, audience of the tokens that will be accepted by the web API.

If your web API accepts several audiences, see Audiences.

In a web API, accepted audiences for the tokens received by the web API.

See also Audience.

Gets or sets the Authority to use when making OpenIdConnect calls. By default the authority is computed from the Instance and TenantId properties, by concatenating them, and appending "v2.0". If your authority is not an Azure AD authority, you can set it directly here.

Specifies the Azure region. See https://aka.ms/azure-region. To have the app attempt to detect the Azure region automatically, use "TryAutoDetect".

Specifies the capabilities of the client (for instance {"cp1", "cp2"}). This is useful to express that the Client is capable of handling claims challenge. If your application is CAE capable, it needs to express "cp1".

Description of the client credentials that the app provides to prove its identity to the IdP, See CredentialSource for the list of supported credential types.

Gets or sets the 'client_id' (application ID) as it appears in the application registration. This is the string representation of a GUID.

Flag used to enable/disable logging of Personally Identifiable Information (PII). PII logs are never written to default outputs. Default is set to false, which ensures that your application is compliant with GDPR. You can set it to true for advanced debugging requiring PII.

Sets query parameters for the query string in the HTTP request to the IdP. This parameter is useful if you want to send the request to a specific test slice, or a particular dc.

Gets or sets the Azure Active Directory instance, e.g. "https://login.microsoftonline.com/".

Gets or sets the name of the options. This can be used to associate the options with a named options in the .NET IOptionsMonitor or IOptionsSnapshot (or ASP.NET Core authentication schemes)

Specifies if the x5c claim (public key of the certificate) should be sent to the STS. Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD: this method will send the public certificate to Azure AD along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy. This saves the application admin from the need to explicitly manage the certificate rollover (either via the app registration portal or using PowerShell/CLI). For details see https://aka.ms/msal-net-sni. The default is false.

Gets or sets the tenant ID. If your application is multi-tenant, you can also use "common" if it supports both work and school, or personal accounts accounts, or "organizations" if your application supports only work and school accounts. If your application is single tenant, set this property to the tenant ID or ___domain name. If your application works only for Microsoft personal accounts, use "consumers".

Description of the credentials (usually certificates) used to decrypt an encrypted token in a web API.