i have a question about securing access to azure App Services, i have two App services,
App service 1 and App service 2, my App service 1 is basically call my App service 2 , my App service 2 should be secured and allow access only from App Service 1 , i did used Ip Adress restrictions but my client said that its not enough so my question what can i use else to secure that access. the framework used here : 4.5. i did some search about Managed identities and Azure active directory but i dont know if i'm following the right path or not.
thanks for helping.
You could register two AD Apps in Azure AD, one for client-app, and one for backend-app.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Register an application in Azure AD to represent the API
Register another application in Azure AD to represent a client application
Grant permissions in Azure AD
You can also refer to this doc - Scenario: Protected web API.
Related
i'm trying to secure communication between two azure app services. i tried to use Managed Identity for that but the only thing i can find is: securing Database access using Managed identity.
So i'm kinda lost here, is Managed Identity can secure communication between two app services or its just responsible to secure resources like Azure Storage, Sql Server?
The MSI(Managed Identity) is used to secure Azure resources, essentially, it is a service principal in your Azure AD tenant, when granted corresponding permission, the MSI will be able to access corresponding resources.
To secure communication between two azure app services, MSI is not for such usage, you need to use Azure AD Apps to do this, register two AD Apps in Azure AD, one for client-app, and one for backend-app. If you enable the MSI of your App Service, it will just create a service principal i.e. enterprise application for you automatically without AD App(App registration).
Please refer to the steps I mentioned in this post.
I am trying to configure multi-tenant authentication with Azure App Service in order to enable multi-tenant authentication for my application. I'm following this tutorial: Consume multi-tenant enterprise APIs secured with Azure AD in SharePoint Framework. But I got stuck while I'm configuring Authentication / Authorization settings.
Any help would be greatly appreciated!
Please refer to Configure your App Service app to use Azure Active Directory login to configure an Azure App to use Azure AD as a authentication provider. While selecting an existing app on express settings you need to make sure the app is registered within your tenant. You can also refer to How to Get to the Keys/Secrets From Azure Active Directory to get the keys/secrets from Azure AD for an Enterprise Application.
I understand the concept of AzureAD App Registrations and I'm using it in several projects. Now I need to generate a Web App that should be deployable as a component in any AAD. This Web App should use Azure APIs to discover components in the subscription it is deployed to which I don't know at develop time.
What is the preferred way to accomplish the app registration fully automated at deploy time? I need to register an app in AAD and then to store the informations (App Id, Tenant ID, ...) in my web.config somehow.
The problem is that you can't develop an app that has access to the Azure AD without it being registered first.
The Azure Portal and Powershell have access. Maybe you can use Powershell to script the permission grant in your scenario?
Otherwise, (I did this a while back for a solution) you can create a multi-tenant web app, that your customers' Azure AD tenant administrators can sign in to. With the tenant administrators granting access, the web app can then access their Azure AD graph API and create the required application definition for your application.
In my scenario the Azure AD client application ran on-premise. It required access to the Azure AD graph API and also needed certificate based authentication towards the Outlook 365 Exchange Web Service. So the web app could create the certificate, grant access to the required APIs, and let the user download the certificate, application ID etc. The on-prem app could then use the downloaded file as its configuration for accessing the Azure AD and other APIs.
I want to access Azure Directories and Subscriptions using my web app hosted on my server but i do not want to register my app in active directory because
i do not have permissions to register my app in active directory
I want to authenticate users from out of my active directory too.
for example following sites let you authenticate any Azure AD user.
https://resources.azure.com/
https://azureiotsuite.com
Please help me to where to start. i have tried Azure AD authentication but it asks you to register your app in Azure AD Apps.
One option is to register your app at https://apps.dev.microsoft.com. (And use the v2 endpoints)
Documentation here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview
What you want to make is known as a multi-tenant application. An application to which you can login from any Azure AD tenant.
The first link leads you to create a converged app which allows you to use Microsoft accounts as well as Azure AD accounts to sign in.
If you only want Azure AD accounts, you could just create an Azure AD and register the app there as a multi-tenant app. (And use the v1 endpoints)
I am working on application where authentication is done by Web service which further calls our organisation AD service to authenticate.
Now I want to move my application to Azure but problem is my web service is not exposed outside organisation. So I can't use web service on Azure to authticate.
Then I searched for Azure AD and found that Azure AD it self provides authenticate and store users data to their data center.
How can I integrate my organisation AD account to Azure AD ?
You are probably looking for Azure AD Connect. See
Integrate your on-premises directories with Azure Active Directory