Disable user registrations in ASP.NET 5 & Core 3 identity

Published on

When you build a new ASP.NET 5 & Core 3 website with Authentication in Visual Studio, you might discover that registrations are enabled by default.

If you're building a SAAS web application, this is likely what you want. Who wouldn't want new users to register with your service!

Unfortunately this is a security issue for restricted applications that are only intended to be used by people within your company.

The Solution

Luckily for us, disabling new registrations is fairly simple and should only take a few minutes to configure within the codebase.


You first need to scaffold three identity pages if you haven't done so already. These three pages are Account.Register, Account.Login, and Account.RegisterConfirmation.

This can be achieved with the following console command.

dotnet aspnet-codegenerator identity -dc RPauth.Data.ApplicationDbContext --files "Account.Register;Account.Login;Account.RegisterConfirmation"

Alternatively, you can use the GUI. Simply right click on your solution in Visual Studio, then click Add > New Scaffolded Item > Add Identity > tick the options for Account.Register, Account.Login, and Account.RegisterConfirmation and select your data context from the dropdown. Then click add.

Scaffold identity from Visual Studio

Editing Scaffolded Pages

You now need to expand Areas/Identity/Pages/Account in the solution explorer and edit Register.cshtml.cs to match the following code snippet. This will redirect users to the login page if they land on the Registration page.

public class RegisterModel : PageModel
    public IActionResult OnGet()
        return RedirectToPage("Login");

    public IActionResult OnPost()
        return RedirectToPage("Login");

Next up, edit Areas/Identity/Pages/Account/Register.cshtml to look like the following.

@model RegisterModel
    ViewData["Title"] = "Go to Login";


<li class="nav-item">
    <a class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Login">Login</a>

Now remove the registration link from Areas/Identity/Pages/Account/Login.cshtml

    <a asp-page="./Register" asp-route-returnUrl="@Model.ReturnUrl">Register as a new user</a>

You can now edit Areas/Identity/Pages/Account/RegisterConfirmation.cs to remove the code relating to registration.

  public class RegisterConfirmationModel : PageModel
      public IActionResult OnGet()
          return Page();

And that's it. At this point you'll normally need to start looking for alternative methods for creating new users. But registrations from the website are now disabled and your internal-only app is now a little bit more secure.

Article Categories: # c# # .net # identity
Date Published: Mar 7, 2020


A tech blog by Andy P. I talk about coding, enterprise software development, tech, games design & other things that interest me.

Signup To The Newsletter

I try to post a new interesting article every saturday.

IT Asset Management

Our friends at AssetPad are building a complete online solution for managing the IT assets within your organisation. With barcodes and documentation tools.