Configuring Login : AAD

Disclaimer: This guide is intended for product versions and greater.



Out of the box, the LemonEdge WebService supports JWT Bearer tokens as the means for clients to authenticate with the system.

Valid clients could be :

  • The LemonEdge WPF Application
  • The 'Universal Console'
  • An API user using the examples libraries or the Connector
  • Postman or a similar REST client.

The WebService must have configuration changes in order to extend this default behaviour to other providers. The currently supported providers are as follows:

  • JWT : via the WebService as the Authority
  • AAD : Azure Active Directory
  • B2C : Azure Active Directory Business to Consumer
  • OKTA : JWT Bearer
  • Windows : Negotiate

This Article is for  AAD. Please see related articles for the other providers.

Note: To login in via third-party provider, LemonEdge users must be set up with a Windows Login Domain that represents the underlying third-party username.

AAD Configuration


You must have a valid Azure Active Directory, with admin access to create and configure 'Applications'.

1. Login to your Azure Portal, navigate to App registrations.



2. Create 2 applications - one to represent the WebService, and one to represent your Client.

3. Copy the WebService 'Application (client) ID' for use in Server Configuration

4. Copy the WPF/Client 'Application (client) ID' for use in Client Configuration.

5. For both applications, ensure that the Authentication tab has the following settings. The main part is http://localhost



6. Also, ensure public client flow is enabled:


WebService Application

For the WebService application, Expose an API:



It should be called API.Access, and should look like above. You can add the WPF/Client Application to the bottom section. This is equivalent to telling AAD that your Client application is permitted to talk to the WebService application.


WPF Client Application

For the client application, configure  API permissions:



Note here how the permission points to the WebService Application's API.Access scope. Be sure to add this permission if it doesn't already exist.

Keep both application's Overview pages open - you'll need client id and tenant from each for the appSettings.json below.


Server Configuration

Once AAD has been configured, open the appSettings.json for the WebService, as you will need to add a new section. Be aware that the format for these settings are different if the WebService is hosted in Azure or AWS. The Keys and values are still the same, but the format of the settings can vary.


You must add the following settings to LemonEdge config node:


"ServerAuthenticationSettings": {
"AAD": {
"Instance": "",
"ClientId": "{Application (client) ID}",
"TenantId": "{Directory (tenant) ID}",
"Scopes": "api://{Application (client) ID}/API.Access",
"Issuer": "{Directory (tenant) ID}/"

These values are found here:



Run the WebService - you should see the following in the logs:


And going to this URL in the browser:

https://{your server}/Authentication/GetLoginProviders

should return:

["AAD"] - (or more a complex object as of 3.1.2305.1204)

If this is not the case, contact development to help debug the issue.


Client Configuration 


PLEASE NOTE: As of 3.1.2305.1204 - this section has changed. See: This Section



The client requires a few more settings than the server to get running.

The appSettings.json should look like this:



"ClientAuthenticationSettings": {
    "AAD": {
"Instance": "",
"Tenant": "{Directory (tenant) ID}",
"RedirectUrl": "http://localhost",
"ClientId": "{Application (client) ID}",
"Scopes": "api://{WEB API CLIENT ID}/API.Access"

Note how you need the WebService Client ID for this section, as well as the Client Application client ID.


When you run the application, and select WebService as the login profile, then AAD as the provider, you should see the AAD login popup when you click login.

See Logging In for how to log in.



Client Config for Version >= 3.1.2305.1601

As of this version, you must add the client settings to the Web Service, instead of the WPF Client.

The Web Service now sends this information to clients, so there's no need to update the client, and you have a single source of truth.

The Web Service configuration should now look like this:

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.