Securing IdentityManager2
I'm sure you recognized that IdentityManager2 was accessible without a login. This is by design. You need to restrict access to it.
Scott Brady described a way to use IdentityServer to do that (https://www.scottbrady91.com/aspnet-identity/getting-started-with-identitymanager2). We would also propose doing it that way. Setting up IdentityServer isn't that straightforward and isn't covered in this book. Unfortunately, it is not possible to use the default ASP.NET Core individual authentication to protect IdentityManager2. It seems the middleware that creates the IdentityManager2 UI doesn't support individual authentication and redirects to the ASP.NET Core Identity UI.
It would make sense to create a separate ASP.NET Core application that hosts IdentityManager2. This way, this kind of administrative UI would be completely separated from the publicly available application, and you would be able to use either OAuth or Azure Active Directory...
