Changing default access denied path when integrating Azure AD into an ASP.NET Core web app

Question

I am trying to change the default access denied path when authorization is denied when using Azure AD.

For example, when working with Microsoft's example of "Integrating Azure AD into an ASP.NET Core web app" seen here: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

The article reference an example project on GitHub see here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore.

I am having difficulties configuring the options inside Startup.cs to change the default controller/method for access denied (which is "Account/AccessDenied").

Can someone please help provide the required changes to the github sample project above so that an unauthorized user is taken to a different path when they are denied authorization other than the default "Account/AccessDenied"?

UPDATE: I added what @Brad suggested in the startup prior (and again now) in my project, but it didn't change, and I'm still being directed to "Account/AccessDenied"... can you think of any other setting that might govern this?

For my project (the automatically created ASP.NET Core Web Application - Web Application (Model-View-Controller) using Work or School Accounts Authentication in Visual Studio 2017), which differs from the example project. I am referencing the NuGet package Microsoft.AspNetCore.Authentication.AzureAD.UI and setting up my AzureAD in the following way (please note using .AddAzureAD and not .AddAzureAd):

services.Configure<CookiePolicyOptions>(options =>
{
    // This lambda determines whether user consent for non-essential cookies  
    // is needed for a given request.
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.None;
});

services
    .AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options))
    .AddCookie(options =>
    {
        options.AccessDeniedPath = "/Home";
     });

Answer 1

If you use the simple overload of AddAzureAd that only takes an action lambda, the library automatically adds a Cookie scheme for you, but it adds it under the `AzureAdDefaults.CookieScheme' name (not sure why) with it's own set of options. If you try to use any normal method to customize the cookie options, it will never get called because you're trying to configure the wrong cookie scheme.

Instead, you can configure the cookie options for the Azure AD custom cookie scheme once it's been added, like so:

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options));

services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options => options.AccessDeniedPath = "/Home/NoAuth");

Answer 2

If you're using the Microsoft.Identity.Web package, like in the latest MVC core VS templates, you'll have this line:

services.AddSignIn(Configuration);

in which case you'll have to do add this:

services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, 
            options => options.AccessDeniedPath = "/your/path");