# Microsoft Entra ID Example

## Prerequisites

In this example, you will need the following NuGet packages

```
Microsoft.Identity.Web
Microsoft.Identity.Web.TokenCache
```

## Setting up Ucommerce Backoffice

Setting up Ucommerce backoffice with Microsoft Entra ID requires you to set up an external authentication scheme when calling `.AddBackOffice()`

To set up the authentication, use a helper method from the above packages to add all the required services to the [AuthenticationBuilder](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.authenticationbuilder?view=aspnetcore-8.0). We highly recommend looking into some of these methods, as they do much of the groundwork to set up OpenID.

```csharp
var ucommerceBuilder = builder.Services
    .AddUcommerce(builder.Configuration)
    .AddBackOffice(securitySettings =>
        {
            securitySettings.AddExternalIdentityProvider<MyExternalClaimsMapper>(
                OpenIdConnectDefaults.AuthenticationScheme,
                authenticationBuilder =>
                {
                    IEnumerable<string>? initialScopes = builder.Configuration["DownstreamApi:Scopes"]
                        ?.Split(' ');
                    // Use the AuthenticationBuilder from ASP.NET to set up authentication
                    authenticationBuilder.AddMicrosoftIdentityWebApp(builder.Configuration,
                            cookieScheme: null) // Ucommerce will handle the cookie session
                        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                        .AddInMemoryTokenCaches();
                });
            // Configure Ucommerce to use your scheme from code
            securitySettings.UseExternalIdentityProvider(OpenIdConnectDefaults.AuthenticationScheme);
        }
    )
    ...
```

{% hint style="info" %}
Remember to create your[ external claims mapper](https://dev.ucommerce.net/readme/backoffice-authentication/..#external-claims-mapper) to map the claims from Azure to Ucommerce.
{% endhint %}

## Create your Azure application

Follow [this guide](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-web-app-aspnet-core-sign-in) from Microsoft to set up your Azure App and `appsettings.json`. After following the guide, `appsettings.json` should look something like this

```json
 ...
 "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "{Your-Tenant-Id}",
    "ClientId": "{Your-Client-Id}",
    "ClientCertificates": [
      {
        "SourceType": "StoreWithThumbprint",
        "CertificateStorePath": "CurrentUser/My",
        "CertificateThumbprint": "{Your-Certificate-Thumbprint}"
      }
    ],
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0/me",
    "Scopes": "user.read"
  },
...
```

{% hint style="warning" %}
Notice that the sources in `ClientCertificates` may change between environments.\
See the [Using Certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) documentation for details.
{% endhint %}

## Related Articles

{% embed url="<https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-web-app-aspnet-core-sign-in>" %}