How to Authenticate Blazor app using Azure EntraID and certificate
Hi, I'm trying to find out how to secure my Blazor using Entra with a certificate. I've been googling and youtubing for hours and have found endless guides on how to autheniticate using clientID/secret, but due to security that method isn't an option for me.
My app is a Blazor app, in interactive server mode. The app will be accessed by humans as well as an automated device that has scripting capability and can use a certificate. The app is currently working fine and hosted in IIS on an on-premises server. My next step is to secure it, in particular the API will be exposed to a client outside our organisation. By API I mean specifically that I've added minimal API methods into the Blazor app that perform the same functions as the UI.
I want to use Azure Entra to handle the authentication, and I already have an app registered. My understanding is that our client will supply a certificate to us, we install it in Azure, and when they access the API they supply the private key part of the certificate which we authenticate against the public key.
I'm looking for a guide or tutorial that explains how to do this, if anyone can suggest one?
Thanks
Hi Will Waterston,
Thank you for reaching out with your query. We understand that your question is more general and not specifically related to the Syncfusion library. However, we’ve reviewed your requirements and provided general instructions and guidelines for securing your Blazor Server application and its minimal APIs using Microsoft Entra ID with certificate-based authentication. This is an excellent approach for scenarios involving automated devices and non-interactive clients.
Here are the recommended steps and resources:
- Configure Certificate Authentication in Microsoft Entra:
- In your App Registration, upload the client’s public certificate under Certificates & Secrets.
- The external client will use the private key to request tokens from Azure AD using the OAuth 2.0 client credentials flow with certificate-based authentication.
- Implement Authentication in Blazor Server + Minimal APIs:
- Use the Microsoft.Identity.Web library for OpenID Connect and JWT validation. In Program.cs, configure:
- AddMicrosoftIdentityWebApp for interactive user authentication.
- AddMicrosoftIdentityWebApi for securing minimal APIs with bearer tokens.
Official Microsoft Documentation:
Set Up Microsoft Entra CBA - Microsoft Entra ID | Microsoft Learn
Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID | Microsoft Learn
How to configure daemon apps that call web APIs - Microsoft identity platform | Microsoft Learn
Acquire tokens to call a web API using a daemon application - Microsoft identity platform | Microso…
Microsoft Entra Authentication Overview - Microsoft Entra ID | Microsoft Learn
Configure Microsoft Entra Authentication - Azure App Service | Microsoft Learn
Reference sample from MSDN: blazor-samples/10.0/BlazorWebAppEntra at main · dotnet/blazor-samples
Please review these resources and let us know if you have any Syncfusion Library related queries..
Regards,
Karthikeyan P
- 1 Reply
- 2 Participants
-
WW Will Waterston
- Nov 19, 2025 05:19 AM UTC
- Nov 24, 2025 07:20 AM UTC
