Azure - restrict access to app service only - security

Ive created a website in Azure and I want to allow users to login and use the app, but im slightly confused by azure active directory access. I want users to only have acces to the web app, not to the portal. Users will be from within my organisation and from outside it so its vitally important that access is locked down, If a user somehow ends up at the azure portal they must not be able to access it. If I set users up in our active directory, wont they be able to login to the azure portal too ? I want to take advantage of authentication as a service and hand over authentication and multi factor authentication to azure but everytjhing Ive read so far seems to suggest If i use azure active directory, users will be able to acess the Azure portal too, is this correct or am i misinterpreting the information ? Are there any step by step guides available for these sorts of scenarios ?

If i use azure active directory, users will be able to acess the Azure
portal too, is this correct or am i misinterpreting the information ?
No, your users will not have access to Azure Portal (rather Azure Subscription as Azure Portal is an application using which a user manages one or more Azure Subscriptions) unless you grant them permission to access it. In order for your users to have access to Azure Portal, you would need to grant them permissions explicitly to do so. In the new portal, you do it by assigning roles (e.g. Owner, Contributor, Reader etc.) and in the old portal you do it by making them co-administrators.
Unless you do this, when they login into Azure Portal all they will see is a message stating no Azure Subscriptions were found.

Related

User can't access correct Azure portal

We're a very small company, for unknown reasons our internal app infrastructure (based on PaaS VMs) was set up on the Azure subscription for a "personal" Windows Live account of an internal email address, with only that one user in the AD. (We also use the "correct" Azure instance, the AD is synced from the remnant of our old on-prem infrastructure and our Office 365 is based on it.)
We're about to recruit a second developer, I want to give him some level of access to our app infrastructure but not the global admin that sharing the existing single account would provide. I've experimentally added another user to the Azure AD as a global admin (so it should have access to everything) but when I log in with that user it takes me to the portal for the default free personal Azure instance you get if there's nothing set up. If I paste in a URL for a resource in the account it's global admin for I get "You do not have access" (403). (Audit trail of the user in Azure AD shows it logged in.)
Is there an inherent restriction on this type of account (in which case I'll have to bite the bullet and migrate the infrastructure where it belongs) or should I be able to expect this user to be able to access the right portal - and if so what do I need to do to get that to happen?
Having Global Admin role in Azure AD does not give you access to Azure resources, only to manage users etc. in Azure AD.
You need to add e.g. Owner/Contributor role on the subscription to the user through the Access Control (IAM) tab.

Azure Active Directory - No Valid Subscription Found

I am trying to get a Database configured to use Integrated Auth. In other words, I have an App Service, and I want it to use Integrated Auth so that I don't have to use Sql Server username/password in a connection string.
So I went to my existing Azure Account and created an Azure Active Directory.
The Active Directory was created, and I then switched to this Directory. However, all of the resources of my usual Azure account are not to be found. It is as if I had created a brand new Azure account.
If I try to create a resource, it tells me that I have no subscription, and that I need to create one. So I created one, but it ended up getting linked to my original account, not the new Active Directory Account.
I tried again to add a subscription, but it asks me to sign in, but I don't understand how I am supposed to sign in to the new AD account.
I am not understanding what is going on here. Is an Azure Active Directory a new and different account than my original?
How do I "sign in" to the new active directory so I can add a subscription?
An Azure subscription is always linked to an Azure AD tenant (directory).
The hierarchy looks like this:
Your default Azure AD
Subscription
SQL DB
The new Azure AD you created
So you can see the SQL DB is looking at the Azure AD you already had.
Because that's the one linked to the sub where the DB is.
Make sure you are looking at the directory where your DB is, you should be able to go to "Azure Active Directory" from the service list.
"Integrated auth" usually means AD authentication, so I want to clarify that Azure SQL does not support that.
Neither does App Service.
What they do support is Azure AD authentication, which is documented here: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication.
Mostly I recommend enabling a Managed Identity on the App Service, granting it access to the database, and then using that from within the app to connect.

I'm trying to restrict access to my Azure webapp to a specific User group

My On-prem AD is in sync with Azure AD and Im trying to give access to my Azure hosted website (Webapp) to a specific set of user(AD groups) via seamless login
I alredy tried setting different option avail in App registration but none of them worked as expected
Open the App which registered in your Azure AD, click Managed application in local directory> Properties> User assignment required to Yes.
When this option is set to Yes, users must first be assigned to this application before they can access it. Then assign users and groups to the app.
For more details, you could refer to this article.

Azure: Create user that can log into a web app but not the azure portal

I've deployed an asp.net web forms application to an app service resource. I've turned on the app service authentication and set it to Log in With Azure Active Directory.
I've created a guest user account and verified that the user can log in to my application. That user is also able to log into the azure portal, and although the user doesn't appear to be able to do anything in the portal, they can still get to the portal and see things. How can I create users that can access my app service but not the azure itself. And if I have multiple app services, how can I create users that are silo'd to specific app services?
There is no way to prevent a user which has been your directory to sign in Azure portal. Onece you invited the user to your directory, the user could also login azure portal. But I also want to make clear that the user can not do anything in your directory and Azure resources if you don't give him/her permissions.
And if I have multiple app services, how can I create users that are
silo'd to specific app services?
Well, this can be resolved. Since each Web App liknes to one service principal, you need to set User assignment required to be Yes in the Properties for that service principal and only assigned users (Add users in Users and groups) can access to login access to this app.

How can I programmatically retrieve the domain name of the Azure Active Directory in a given subscription?

I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect

Resources