Setup AAD with Form Headless API

Create Azure Active Directory on portal

Step 1: Create a Tenant

• Open https://portal.azure.com/#home
• Open Create a resource > Search for Entra ID > Select Entra ID
• Select Microsoft Entra ID > Click Create button
• Tenant type: Microsoft Entra ID
• Add Details:
  • Organization name:
  • Initial domain name:
  • Country/Region:
• Click Create button
• Switch to the new directory/tenant:
  • Open the directory by clicking the new tenant
  • You can switch to a different AD by clicking the User icon on the top right > Switch directory

Step 2: Create a New User

• Open the AD > Select Microsoft Entra ID > Click Users menu > Click New user and fill in the data for the created users:

  • Administrators: [email protected]
  • WebEditor: [email protected]
  • WebAdmin: [email protected]
  • PWD: password

  Notes: Log in to Azure portal https://portal.azure.com with the above user in a different browser to change the password.

Step 3: Register a Web Application

• Open Entra ID
• Select App Registrations on the left menu > New registration > Fill in the data:
  • App name:
  • Account type:
  • Redirect URI: (leave blank)
• Click Register

Step 4: Configure Web

• Open the created app registration

• Select Authentication > Click Add a platform > Select Web > Add the following info:

  • Redirect URIs: https://domain:8000/
  • Front-channel logout URL: https://domain:8000/util/Logout
  • Check ID tokens
  • Click Configure button

  Add URIs:

  • https://domain:8000/
  • https://domain:8000/EPiServer/CMS/
  • https://domain:8000/signin-microsoft/
  • https://domain:8000/EPiServer/EPiServer.CMS.UI.Admin/default#/
  • https://domain:8000/signin-oidc

Step 5: Select "Certificates & Secrets"

• Add New client secret
• Click Add button > Description:
• Get client info:
  • Value: (ClientSecret)
  • SecretID:

Step 6: Edit Group Claim

• Select Token configuration > Add a groups claim

Step 7: Add Permission for AAD

• Select API permissions > Click Grant admin consent for AD organization.

Step 8: Expose an API

• Select Expose an API > Click Add to edit Application ID URI with format: https://{domain}/{registered_app_name}. Refer to Step 1 & 3 for data:
• Click Add a scope > Fill in the data
• Click Add scope button

Step 9: Update appRoles

• Open Manifest: Update appRoles

"appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Admin the site",
        "displayName": "Administrators",
        "id": "5d40a133-3be3-4c77-8a72-9ea895c9d9dc",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "Administrators"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Admin can manage the site",
        "displayName": "WebAdmins",
        "id": "15fdcd66-0446-4777-9c6f-132120240227",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "WebAdmins"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Editor can edit the site",
        "displayName": "WebEditors",
        "id": "9c58404d-f70c-4f9a-9546-64daf963b306",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "WebEditors"
    }
]

Step 10: Assign Role for Created Users

• Open Overview > Click Managed application in local directory link

• Select Users and groups from the left sidebar > Add user/group

• In Add Assignment page, select:

  • User: select the user created from Step 2 or any available user
  • Role: select a role which is defined in Manifest settings at Step 9

Step 11: Get Authentication Information

• Open Entra ID details > Open App registrations > Open app details
• Get the following data:
  • Application ID:
  • Directory (tenant) ID:

Configure Form Headless with AAD

Precondition:

• Created Azure AD for a local site (e.g., https://domain:8000/) and have the data:
  • AAD users:
  • Administrators: [email protected]
  • WebEditor: [email protected]
  • WebAdmin: [email protected]
  • PWD: devLab08@@
  • Authentication information:
  • AzureClientID: ""
  • AzureTenantID: ""
  • Client_Secret: ""

Step 1: Install OpenIdConnect Package

<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.x.xx" />

Note: 6.x.xx for net6, 7.x.xx for net7, 8.x.xx for net8

Step 2: Update appsettings.json

{
  "urls": "https://*:8000/",
  "AllowedHosts": "*",
  "Authentication": {
    "AzureClientID": "{client ID}",
    "AzureTenantID": "https://login.microsoftonline.com/{tenantID}/v2.0",
    "CallbackPath": "/signin-oidc"
  }
}

Step 3: Install FormHeadless and OpenIdConnect Packages

<PackageReference Include="Optimizely.Cms.Forms.Service" Version="0.1.0" />
<PackageReference Include="EPiServer.Forms" Version="5.8.0" />

Step 4: Set Site to HTTPS (Optional)

Step 5: Update Startup.cs File

Change below line into:

services.AddCmsAspNetIdentity<ApplicationUser>()
    .AddAdminUserRegistration(options => options.Behavior = RegisterAdminUserBehaviors.Disabled | RegisterAdminUserBehaviors.LocalRequestsOnly);

Configure Headless API with Azure AD:

services.AddOptimizelyFormsService(options =>
{
    options.EnableOpenApiDocumentation = true;
    options.FormCorsPolicy = new FormCorsPolicy
    {
        AllowOrigins = new string[] { "*" }, 
        AllowCredentials = true
    };
    options.OpenIDConnectClients.Add(new()
    {
        Authority = _configuration["Authentication:azureTenantID"],
        Audience = _configuration["Authentication:azureClientID"],    
    });
}); 

Step 6: Usage

Get token from azure AD endpoint and pass alone with headless API request

• Post method: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
• client_id: {AzureClientId}
• client_secret: {ClientSecret}
• username/ password = {AAD users}
• scope: User.Read openid profile
• grant_type: password