Cirreum.Authorization.Entra
1.0.25
dotnet add package Cirreum.Authorization.Entra --version 1.0.25
NuGet\Install-Package Cirreum.Authorization.Entra -Version 1.0.25
<PackageReference Include="Cirreum.Authorization.Entra" Version="1.0.25" />
<PackageVersion Include="Cirreum.Authorization.Entra" Version="1.0.25" />
<PackageReference Include="Cirreum.Authorization.Entra" />
paket add Cirreum.Authorization.Entra --version 1.0.25
#r "nuget: Cirreum.Authorization.Entra, 1.0.25"
#:package Cirreum.Authorization.Entra@1.0.25
#addin nuget:?package=Cirreum.Authorization.Entra&version=1.0.25
#tool nuget:?package=Cirreum.Authorization.Entra&version=1.0.25
Cirreum Authorization Entra
Azure Entra ID authorization provider for the Cirreum framework
Overview
Cirreum.Authorization.Entra is a .NET 10 authorization provider that seamlessly integrates Azure Entra ID (formerly Azure Active Directory) authentication into applications built with the Cirreum framework. It provides a unified configuration approach for both Web API (JWT Bearer) and Web App (OpenID Connect) authentication scenarios.
Features
- Dual Authentication Support: Handles both Web API (JWT Bearer tokens) and Web App (OpenID Connect) authentication flows
- Microsoft Identity Web Integration: Built on top of Microsoft's official Identity Web library for robust Azure Entra ID support
- Configuration-Driven: Uses strongly-typed configuration classes that integrate with .NET's configuration system
- Multi-Instance Support: Configure multiple authentication schemes within a single application
- Cirreum Provider Framework: Follows established patterns from the Cirreum ecosystem for consistency and reliability
When to use this vs. Cirreum.Authorization.Oidc
Entra-specific features (Graph API calls, On-Behalf-Of flows, sovereign clouds, MSAL token cache) require Microsoft.Identity.Web, which this package wraps. If you're validating tokens from an Entra tenant and need any of those features, use this package. Otherwise, prefer the lighter-weight generic OIDC provider:
| Token source | Use | Why |
|---|---|---|
| Entra Workforce (employees, Microsoft Graph access) | Cirreum.Authorization.Entra |
Microsoft.Identity.Web features (Graph, OBO, sovereign clouds) |
| Entra External ID (CIAM) with Entra-specific features | Cirreum.Authorization.Entra |
Same — if you need OBO, sovereign clouds, etc. |
| Entra External ID (CIAM) standard token validation only | Cirreum.Authorization.Oidc |
Standard OIDC; fewer dependencies |
| Descope, Auth0, Okta, Keycloak, other OIDC providers | Cirreum.Authorization.Oidc |
Not Microsoft-specific; no Identity Web needed |
| Customer-owned IdPs (B2B SaaS, dynamic tenants) | Cirreum.Authorization.External |
Needs dynamic tenant resolution at runtime |
You can mix providers — for example Cirreum.Authorization.Entra for a Workforce instance
and Cirreum.Authorization.Oidc for a Descope instance in the same API. Each instance
registers as its own ASP.NET Core authentication scheme, and Cirreum's dynamic scheme
selector routes incoming tokens to the correct one based on the aud claim.
Usage
Registration
Entra authentication is automatically registered when you call AddAuthorization() with Entra configured in appsettings:
// Entra (and other providers) are registered automatically from appsettings.json
builder.AddAuthorization();
// Or with additional authentication schemes
builder.AddAuthorization(auth => auth
.AddExternal<MyTenantResolver>() // Add BYOID support
.AddSignedRequest<MyResolver>() // Add signed request support
);
Configuration
Configure Azure Entra ID settings in your appsettings.json:
{
"Cirreum": {
"Authorization": {
"PrimaryScheme": "Default",
"Providers": {
"Entra": {
"Instances": {
"Default": {
"Enabled": true,
"Instance": "https://login.microsoftonline.com/",
"TenantId": "your-tenant-id",
"Audience": "api://your-client-id"
}
}
}
}
}
}
}
Configuration Properties
| Property | Required | Description |
|---|---|---|
Enabled |
Yes | Whether this Entra instance is active |
Instance |
No | Azure AD instance URL (defaults to public cloud) |
TenantId |
Yes | Your Azure AD tenant ID |
Audience |
Yes | The expected audience claim (your app's client ID) |
Multiple Entra Instances
You can configure multiple Entra instances for different audiences:
{
"Cirreum": {
"Authorization": {
"PrimaryScheme": "WorkforceUsers",
"Providers": {
"Entra": {
"Instances": {
"WorkforceUsers": {
"Enabled": true,
"TenantId": "workforce-tenant-id",
"Audience": "api://workforce-app"
},
"ExternalCustomers": {
"Enabled": true,
"TenantId": "external-tenant-id",
"Audience": "api://customer-app"
}
}
}
}
}
}
}
The dynamic scheme selector routes tokens to the correct instance based on the aud claim.
Architecture
The provider follows the Cirreum authorization framework pattern with these key components:
- EntraAuthorizationRegistrar: Main registrar implementing Web API and Web App authentication setup
- EntraAuthorizationSettings: Root configuration settings
- EntraAuthorizationInstanceSettings: Per-instance configuration (extends base authorization settings)
Contribution Guidelines
Be conservative with new abstractions
The API surface must remain stable and meaningful.Limit dependency expansion
Only add foundational, version-stable dependencies.Favor additive, non-breaking changes
Breaking changes ripple through the entire ecosystem.Include thorough unit tests
All primitives and patterns should be independently testable.Document architectural decisions
Context and reasoning should be clear for future maintainers.Follow .NET conventions
Use established patterns from Microsoft.Extensions.* libraries.
Versioning
Cirreum.Authorization.Entra follows Semantic Versioning:
- Major - Breaking API changes
- Minor - New features, backward compatible
- Patch - Bug fixes, backward compatible
Given its role as an authorization provider, major version bumps are rare and carefully considered.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Cirreum Foundation Framework
Layered simplicity for modern .NET
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Cirreum.AuthorizationProvider (>= 1.0.26)
- Microsoft.AspNetCore.DataProtection (>= 10.0.7)
- Microsoft.Identity.Web (>= 4.9.0)
NuGet packages (1)
Showing the top 1 NuGet packages that depend on Cirreum.Authorization.Entra:
| Package | Downloads |
|---|---|
|
Cirreum.Runtime.Authorization
The Runtime Authorization configuration. |
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 1.0.25 | 122 | 5/7/2026 |
| 1.0.24 | 101 | 5/1/2026 |
| 1.0.23 | 118 | 4/28/2026 |
| 1.0.22 | 127 | 4/26/2026 |
| 1.0.21 | 126 | 4/14/2026 |
| 1.0.20 | 133 | 4/10/2026 |
| 1.0.19 | 152 | 3/21/2026 |
| 1.0.18 | 127 | 3/17/2026 |
| 1.0.17 | 108 | 3/17/2026 |
| 1.0.16 | 137 | 3/13/2026 |
| 1.0.15 | 111 | 3/12/2026 |
| 1.0.14 | 130 | 3/9/2026 |
| 1.0.12 | 107 | 3/6/2026 |
| 1.0.11 | 194 | 1/21/2026 |
| 1.0.10 | 151 | 1/11/2026 |
| 1.0.9 | 263 | 12/20/2025 |
| 1.0.8 | 132 | 12/20/2025 |
| 1.0.7 | 200 | 12/20/2025 |
| 1.0.6 | 297 | 12/19/2025 |
| 1.0.5 | 310 | 12/16/2025 |