Does anyone know if it's possible to create a App Registration in one tenant and then use that registration in another tenant within App Services?
Regards, Oskar
In general yes it is. If you create an app registration, you might define the URL of the App Service in its reply URLs.
Then you can define on the App Service that it should use authentication with a given AAD tenant.
After all you can use AAD authentication anywhere, on an app hosted in AWS, the Google cloud or an on-prem server.
Of course the Authentication/Authorization feature of App Service is only available there, but that doesn't stop you from configuring authentication within your app.
Managed Identity is a feature that only works within the tenant connected to the subscription though.
Related
I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service
I'd like to connect to an On-Prem API from an external cloud service using the Azure AD Application Proxy. I can connect and use the API by logging in with my Azure AD User in a browser, but would like a code-based-like login to use from my external service.
I've been digging through various articles the last couple of days, and it seems not possible without an Azure AD User interactive login. I am able to create an AD user for this service only if needed, but handling the interactive login from code or even through Postman seems troublesome.
Can someone point me in the right direction to solve this cloud-service to on-prem app solution? (unfortunately, I can't move the on-prem app to Azure).
EDIT: I'll be looking at using the pass-through option in the App registration, which means i need to handle the authentication and security in my API.
Perhaps you could consider using an on-premises data gateway instead, but it depends on where your external cloud service is hosted.
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install
Essentially, if your external cloud service is completely outside your environment and your control, the data gateway can still be used, then you can expose a Logic App as a facade that can integrate with the on-premises data gateway. The external cloud service can then call the logic app to trigger the request, which can be secured by other means e.g. SAS key.
we want to use azure web apps not only for production but also for pre-production sites. These sites should be accessible only for Users in our Azure AD or even better only users with specific roles in the Azure AD. Or as a workaround some form of authentification without changing the code of the App. Since the App should be available public in some point of time.
At the moment these web servers are hosted in our internal network so they are only accessible through vpn or on site.
How can I secure a pre-production web app?
I tried the built in authentifcation with AD but I can't authorize a specific AD Role or AD Directory without changing the application it self.
What would be perfect for us would be a simple Basic Auth on the web app which I understand is also not possible without changing the App.
Anyone facing the same problem?
Maybe there is a design pattern for this? Or some Gateway to handle this?
Any hints would help,
Thanks
Stefan
Follow this article which shows how to configure Azure App Service to use Azure Active Directory (Azure AD) as an authentication provider.
Some best practices when setting up your app and authentication:
Give each App Service app its own permissions and consent.
Configure each App Service app with its own registration.
Avoid permission sharing between environments by using separate app
registrations for separate deployment slots. When testing new
code, this practice can help prevent issues from affecting the
production app.
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
We are planning to setup a multi-tenant azure web api which will be invoke by a client app which is registered as converged app with MSA but now in Azure AD. The client app owner dont have Azure AD on thier side. And the client belongs to different tenant.
Can someone please explain how the client will invoke our azure ad web api as client isn't registered as azure webapp.
We have setup .net core azure webapp
You need to consent to the web API from your client app tenant first. To consent to the web API, you could follow this:
https://login.microsoftonline.com/client-app-tenant/oauth2/authorize?client_id=api-client-id&redirect_uri=api-reply-url&response_type=code&prompt=admin_consent
By this, a service principal will be created in your app tenant for the API, allowing you to assign app permissions to the web API in your app tenant.
I've created an event hub that I want to call from an app hosted outside of Azure. Can I create a service principal in AAD and use it for authentication of the non-Azure hosted application?
Yes, it doesnt matter if the application is hosted in Azure or not, service principal is used to auth, it doesnt check where you are hosting the app.
But i dont think you can use service principal to talk to event hub, you will need to use connection string