I am developing some workflows on Azure, and I need some help with setting up authentication. Here is what I am setting up:
There are 2 tenants involved - tenant1 and tenant2
I have a web API deployed to an App Service on a subscription tied to tenant1
I also have a logic app on the same subscription as the web API that wants to periodically call the above API end points automatically
Other than the logic apps, only users from tenant2 should be allowed to call the above web API end points directly
How do I use authentication using Azure AD to set this up correctly? I have tried enabling AAD authentication on the app service, and playing with managed identities to allow the logic app to access it, but logic app authentication is not working. I seem to have set things up correctly to allow the users from tenant2 to access the API though, so now I just need to get the logic apps to authenticate with it correctly. I am looking for an option that uses managed identities.
You can turn on the System-Assigned managed identity in Logic App and your Web API and then use a Logic App Action with settings of Authentication like below to call authenticated API endpoint using Logic App:
Related
I am wondering if it is possible to restrict access to an azure web app (it is functioning as an api, so I dont want public access just via the url) to API Manager through managed identity? Everything I can see is for using Azure HTTP Functions, not to a web app
Im assuming by doing so that users in the AD can also access the web app directly?
Yes, it is possible.
Your back-end API will need to check for either:
An application permission (appRole) defined on the API app registration and assigned to the Managed Identity through PowerShell
Or check that the object id in the token matches the Managed Identity
In the first option, other apps won't be able to use the API directly unless that permission is granted to that client application by an Application Admin/Global Admin.
The second option outright prevents other apps from using the API directly.
In both cases, you'll have the API Management policy get an access token targeting your API app registration.
I've done some reading in regards to Azure AD, but I still can't wrap my head around it. The confusion might be there also because of how my company tries to standarize how a azure project should look like.
Imagine I have two things: SPA app (served by App Service) and API (on this App Service, ASP.NET). The approach that the company is suggesting is that both of those should have their App Registrations.
Now, I'd like the API to have access to Ms Graph. In order to do that, looking at other projects, I updated my AppRegistration to request for Ms Graph roles, Admin gave consent, and in API I used ConfidentialClient to reuse my Client Id/Secret to get token and then access MsGraph.
Why the hustle? Why not just use Managed Identity of my API and grant needed permissions using New-AzureAdServiceAppRoleAssignment?
Why do I need App Registration here? Do I need both? Should I access Ms Graph using my App Registration and confidential client in my API? How does my App Service relate to my App Registration in code?
Let's take a step back and define a few things that will make things easy to understand:
Your app service: this is just a compute environment, just as Azure Functions, Logic apps or VMs. This is where your code executes.
Azure AD App registration: this is an identity that you can use in your code to identify your service and get access to resources you need. The Azure AD app registration has several capabilities:
build an app in one tenant and used in multiple tenants (multi-tenant app)
consent framework, allowing you to request permissions and the owner to grant it
define roles and permissions, so that you can configure who is allowed to call your API
3-legged OAuth flows which allows you to act on behalf of the user
confidential client flows which allow the app to act on its own (like a service account)
Azure Managed Identities: this is also an identity that you can use to identify your service and get access to resources you need. It only has a subset of the capabilities of Azure AD app.
confidential client flow which allows the identity to act on its own (like a service account)
credentials managed for you by the platform
Depending on what you are trying to do, you can use one or the other identity: rarely if ever you will need both.
In your case, you need an identity to act on its own. So either app registration or managed identity will work. Your API may benefit from using an app registration if you want to define roles and permissions. The primary advantage of using an app registration in your scenario is that the consent model is simpler to use and understand. The disadvantage is that you need to manage credentials for the app. This pro/con is reversed when using a managed identity.
You don’t need both at a time. These are two ways to get the access of MS graph for your API. They are used for different purpose.
Managed Identity (Using System Identity)
· Use the Managed Identity if you don’t require your API to be authenticate from any provider.
· A managed identity from Azure Active Directory allows App Service to access resources through role-based access control (RBAC), without requiring app credentials
· It known as safe way to give your web app access to data is to use a system-assigned managed identity
· Currently, there's no option to assign any permissions(MS graph) through the Azure portal for Managed Identity
· When we do Manged Identity of any application its show only for Enterprise application.
Reference : Tutorial - Web app accesses Microsoft Graph as the app - Azure App Service | Microsoft Docs
App Registration.
· To set the authentication and authorization of your app from different provider its need your app registration id.
· It’s required to configure a service and get a token from the Microsoft identity platform endpoint that service can use to call Microsoft Graph under its own identity.
·In this using portal you can add permission (MS Graph) for your application.
Reference : https://learn.microsoft.com/en-us/graph/auth-v2-service
I have two Azure Web Apps, one is a website and acting as the front-end, the other one is an API and acting as the backend. I would like to add authentication to this solution so only the front-end can access the backend. To do this, I've configured AAD authentication on the backend Web App with the express option that creates a new Azure AD application configured with the correct reply URL, API permissions (User.Read), etc. When I then navigate to the backend Web App URL, I need to sign-in with my Azure AD credentials.
Which steps do I need to take to restrict that so I as an user cannot login and only the front-end Web App can authenticate to the backend API?
For example, I can set the "Authorized client applications" on the Azure AD application of the backend API. However, I need to have an application ID to add an authorized client and I would like to use the Managed Identity of the front-end Web App for this, not a new and additional Azure AD application.
Any idea how to do this?
This is weird, if the login screen still appears, there is a problem with your code configuration, because the client credential flow does not involve user interaction.
I found a useful sample for your reference, this sample application shows how to use the Microsoft identity platform to access the data from a protected Web API, in a non-interactive process. It uses the OAuth 2 client credentials grant to acquire an access token, which is then used to call the Web API.
I'm trying to utilize built-in Azure App Service / Function AD authentication for access control. I'd like to use the same authentication for both the app service (which is a UI SPA app) and the function (HTTP trigger) so that users only need to log in once. My function app is a node.js function.
I do not need authorization, i.e. I just want to let certain users use the app service and function but they all have full access.
I have an app service set up with AD authentication which works beautifully by just enabling AD authentication from the portal and selecting "express" mode with the correct AD application. The AD app has implicit authentication flow enabled.
The problem is the function. How do I reuse the user's authentication status from the app service (i.e. the single-page frontend app) for the function?
Right now I'm at a point where I can obtain an authentication token using AAD MSAL but I cannot seem to be able to access the function with that. It doesn't help that there seem to be a dozen ways to use the auth (X-ZUMO, OAuth bearer, etc.).
To summarize, I'd like to just restrict access to SPA web app (app service) and function so that user is only required to login once. I can implement authentication code in the function but if I can get it to just Work(tm) without touching the function code, even better.
Assuming you already have the Easy Auth setup to your Web App, all you need to do is add your function app as as allowed audience.
More info: https://stackoverflow.com/a/53511688
I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.