{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "Auth": {
    "AllowDevBypass": false,

    /*
     * STAFF IDENTITY - Microsoft Entra ID (positivespend tenant)
     *
     * App registration: AdPlatform Management Staff API (af95fa13) in positivespend tenant f56a3c51.
     * The Tech SPA (846a3677) authenticates against this same tenant and
     * requests scope api://af95fa13-.../access_as_user.
     *
     * Management validates JWTs:
     *   issuer    = login.microsoftonline.com/f56a3c51/v2.0
     *   audience  = af95fa13 or api://af95fa13
     *   roles     = Staff.Admin | Staff.Tech
     *
     * These are the correct defaults - also set as env vars on the container:
     *   Auth__Staff__Instance  = https://login.microsoftonline.com/
     *   Auth__Staff__TenantId  = f56a3c51-9b5c-4356-920f-b4dcf932a96b
     *   Auth__Staff__ClientId  = af95fa13-2ef4-4911-b137-7acc6a784cfa
     */
    "Staff": {
      "Instance": "https://login.microsoftonline.com/",
      "TenantId": "f56a3c51-9b5c-4356-920f-b4dcf932a96b",
      "ClientId": "af95fa13-2ef4-4911-b137-7acc6a784cfa"
    }
  },

  /*
   * GRAPH API — app-only credentials for reading Entra org tenant users.
   * Used by AdminAccessController to list platform access users.
   *
   * TenantId and ClientId refer to the org tenant (thematrixpoint),
   * NOT the CIAM tenant. ClientSecret must be injected via env var:
   *   Graph__ClientSecret = <secret>   (Azure Container Apps env var)
   *
   * PREREQUISITES (one-time Entra portal steps):
   *   1. App registration: AdPlatform Staff (b0f29246-...)
   *   2. API permissions → Microsoft Graph → Application → User.Read.All
   *   3. Grant admin consent
   *   4. Create a client secret → copy value → set Graph__ClientSecret env var
   */
  "Graph": {
    "TenantId": "0be4c23a-6941-4bdb-b397-a4faf88de4b3",
    "ClientId": "b0f29246-91e7-4615-96db-5de9b6f8da2e",
    "ClientSecret": ""
  }
}