I am trying to add Active Directory Authentication to my Azure App Service.
The AD I am using is in a different tenant to the App Service so I need to use Advanced Settings instead of Express (where it creates things for you).
One of the fields is "Issuer Url" and the pop up help says
"Issuer URL for your Active Directory, TenantId of your Active
Directory can be obtained by PowerShell command Get-AzureAccount or by
browsing to your Directory from the management portal"
Where do I find the "Issuer Url" in the portal?
On the App registrations page, click on the Endpoints button at the top, then copy the WS-FEDERATION SIGN-ON ENDPOINT URL but remove the /wsfed ending from the URL. The end result should look like https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000. The domain name may be different for a sovereign cloud. This will serve as the Issuer URL.
Related
I have an Azure App Service with Azure Active Directory Authentication enabled. So the users have been authenticated by AD. How do I use that authentication to call Azure Maps from the JavaScript in the browser?
I was able to make calls from the browser to the maps API using the maps shared key, but I obviously don't want to do that. I was also able to have the browser call my server, and have my server use the shared key to call the maps API, but I don't want my server to have to be the middle-man for every call.
Well, in your case, you can hit https://webappname.azurewebsites.net/.auth/me to get the token to call Azure Maps API, please follow the steps below.
1.Navigate to the resource explorer -> find your app service-> add ["resource=https://atlas.microsoft.com"] to additionalLoginParams like below -> PUT.
2.Navigate to the Azure Active Directory in the portal -> App registrations -> find the AD App corresponding your app service -> API permissions -> add the permission user_impersonation of Azure Maps like below.
Note: If you could not find Azure Maps on the first page, just go to APIs my organization uses and search for ba1ea022-5807-41d5-bbeb-292c7e1cf5f6, then click it and add the permission above.
3.Then when the user login the web app, after he consents the permissions, you can get the token with endpoint https://webappname.azurewebsites.net/.auth/me, and use the token to call the Azure Maps API with javascript, in this way, the user just needs to login for one time, the token was generated via the azure ad auth.
Note: Before you getting the token, make sure the user logged in the app is already added as a role e.g. Azure Maps Data Contributor in the Azure Map Account -> Access Control (IAM), if not, follow this link to add it.
I have code working in development that authorizes against Azure AD in a multi-tenant setup using the MSAL library (with the Microsoft Angular wrapper for MSAL).
This code all works as expected when I am running it against localhost:5001.
My configuration contains a redirectUri for https://localhost:5001 and my application in Azure AD has its "Redirect URI" value set to the same.
However, when I move this to production, it is continuing to try to redirect me to localhost:5001 on a successful AD authentication, even though I have changed my redirectUri in my configuration, as well as the Azure B2C application "Redirect URI", to now be the production site at:
https://[mysite].azurewebsites.net
Where is it still getting localhost:5001 from? I searched my code/configuration and this value does not exist. It is not currently in Azure AD for the Application. I have stopped and restarted my App Service to no avail.
The redirection it is trying to make is to:
https://localhost:5001/#id_token=eyJ0eXAiOiJKV1Qi ...
I was able to work around this issue by deleting the Azure AD App Registration and creating a new one from scratch with the proper endpoints.
For some reason, it was not "holding" the change when the endpoint URLs were edited and saved. It showed the correct endpoints in the Azure AD control panel for the App Registration, but it was still redirecting to localhost.
When I deleted and re-created, it properly forwarded the replies to the production site.
I am unsure at this time if this is an issue on Microsoft's side or not, but this conclusively resolved the issue.
Registering a new application solved this issue.
No need to delete and register a new application. Simply update the replyUrlsWithType attribute on the Azure Active Directory app manifest file to point to the new domain, url or location:
"replyUrlsWithType": [
{
"url": "https://localhost:4400/services/office365/redirectTarget.html",
"type": "InstalledClient"
}
],
See this link for more information: https://learn.microsoft.com/en-gb/azure/active-directory/develop/reference-app-manifest?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps
Assuming I have a web app residing in Azure and using Azure AD, and I configured it to authenticate using Azure AD
settings -> Authentication / Authorization -> Authentication Providers -> Azure Active Directory
Now I want certain pages and URL paths to be publicly available (without need for authentication).
How do I configure that?
Somehow I stumbled upon the answer.
The way to configure that is described in the following article:
Expanding App Service Authentication/Authorization
You need to leave the "action to take" drop-down as "Allow request (no action)" and then the application may redirect the user to the log-in page as needed. This was not sufficiently explained in the Azure portal and led to some confusion on my part.
Do I register an Azure Function as a "Web app/API" app in my Azure Active Directory? If so, what would be the "Sign-on URL" for it?
Your Function is probably going to kind of like an API.
In case of APIs, the Sign-on URL does not matter.
It will also be used as a reply URL by default, but if there is no user redirections, reply URLs do not matter.
So it can be your Function's URL.
I have been trying to integrate ADAL into my AngularJS SPA app by leveraging the AAD application configuration info from the .NET sample app and cannot get it to authenticate. I get a 404 every time.
The sample app instructions are as follows:
Step 2: Register the sample with your Azure Active Directory tenant
Sign in to the Azure management portal.
Click on Active Directory in the left hand nav.
Click the directory tenant where you wish to register the sample application.
Click the Applications tab.
In the drawer, click Add.
Click "Add an application my organization is developing".
Enter a friendly name for the application, for example "SinglePageApp-DotNet", select "Web Application and/or Web API", and click next.
For the sign-on URL, enter the base URL for the sample, which is by default https://localhost:44326/.
For the App ID URI, enter https://<your_tenant_name>/SinglePageApp-DotNet, replacing <your_tenant_name> with the name of your Azure AD tenant.
All done! Before moving on to the next step, you need to find the Client ID of your application.
While still in the Azure portal, click the Configure tab of your application.
Find the Client ID value and copy it to the clipboard.
Step 3: Enable the OAuth2 implicit grant for your application
By default, applications provisioned in Azure AD are not enabled to use the OAuth2 implicit grant. In order to run this sample, you need to explicitly opt in.
From the former steps, your browser should still be on the Azure management portal - and specifically, displaying the Configure tab of your application's entry.
Using the Manage Manifest button in the drawer, download the manifest file for the application and save it to disk.
Open the manifest file with a text editor. Search for the oauth2AllowImplicitFlow property. You will find that it is set to false; change it to true and save the file.
Using the Manage Manifest button, upload the updated manifest file. Save the configuration of the app.
Step 4: Configure the sample to use your Azure Active Directory tenant
Open the solution in Visual Studio 2013.
Open the web.config file.
Find the app key ida:Tenant and replace the value with your AAD tenant name.
Find the app key ida:Audience and replace the value with the Client ID from the Azure portal.
Open the file App/Scripts/App.js and locate the line adalAuthenticationServiceProvider.init(.
Replace the value of tenant with your AAD tenant name.
Replace the value of clientId with the Client ID from the Azure portal.
When I configure my app it looks like this:
adalProvider.init(
{
instance: 'https://login.microsoftonline.com/',
tenant: 'http://mytenantname.onmicrosoft.com',
clientId: '000000000-583f-4218-b410-28c2acf00000',
extraQueryParameter: '12345',
},
$httpProvider
);
However, when I try to authenticate I always get a 404 response that my app is not recognized. Any idea what is wrong here?
The problems are in the tenant value:
The tenant property needs to be a URN, not a URL, so it should not include the 'http://'.
You have to include the application name at the end of the URN to uniquely identify the application within the directory.
Try that and see if it works.