Azure Web App + Active Directory with domain mapping issue - azure-active-directory

I have published an application as an Azure WebApp which uses Azure ActiveDirectory for my authentication.
This requires a redirect to AD and re routes back to my web app after authenticated.
This works flawlessly using the xxxx.azurewebsites.net uri, but is not working properly with domain masking.
How can I use my custom domain with ActiveDir auth?
The masking works without the azure auth, but the reply URL throws an error (which I will post soon).

Related

Why the URL of Azure App service can't be used as the Application ID URI in Azure AD?

The azure app service provided an URL in such format https://your-app-name.azurewebsites.net
When Expose an API in azure app registration the Application ID URI is needed. But when I use the url provided by the azure app service I got the following error:
Values of identifierUris property must use a verified domain of
the organisation or its subdomain: https://your-app-name.azurewebsites.net
the URL provided by the app service is not a verified domain? and how can I make it verified?
Application ID URI is an identifier that can be used instead of the client ID when specifying a scope defined in that app.
It has nothing to do with authentication redirect URIs, where it would need to match your app hosting.
Agree with juunas and this is just additional description. Screenshot below contained the error you met and one of the supported App ID URI pattern.
I'm afraid that the reason for exposing API is that you want to protect your web API with Azure AD. The App ID URI here is used for the authorization. Your web app also requires to configure the audience, then after you integrate Azure AD authorization into your application, the scope, the audience and other claims containing in the incoming access token will all be verified. I have a sample which is based on a web api. You can see the configuration for Azure AD authorization.
And https://your-app-name.azurewebsites.net is for authentication which used for redirect from microsoft identity platform back to your own web app. The scenario can be opening your own web page which requiring user to sign in --> redirect to microsoft sign in page --> sign in then redirect back to your web page. So we need to identify the redirect URL in Azure AD.

If possible, how to register front-end and back-end in a single application in Azure AD?

I have an application stack with a React SPA frontend and an Asp.net core web-api backend. Both resources had been successfully registered in AzureAD each with its own app and the authentication and authorization processes are working fine. However, would it be possible to use the same registration for both the front and backend in AD?
When using the AD Application ID from the backend in React:
auth: {
clientId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
authority: "https://login.microsoftonline.com/<tenantId>",
redirectUri: "http://localhost:3000"
}
I get the following error:
ServerError: invalid_request: AADSTS90009: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
I am using the MSAL library for the frontend.
Both the applications (front end and back end) need to be registered for sure in Azure AD.
As you are using client id of backend which is api to be secured , the Error is occurring.
Update client-id, tenant-id, redirect URI of front end application not backend api in configuration file based on application registration in Azure AD.
Then make sure to expose an API and grant admin consent to the API with required permissions.
Yes, this is possible. Your provider configuration looks correct, so check to make you app registration is setup properly. You will need the following things:
An SPA platform configuration with a redirect URI of http://localhost:3000
Add a scope (under 'Expose an API') and make sure your Application ID URI is created
Use the new scope in your MSAL authentication template

App services behind Applicaiton Gateway and applicaiton authentication using Azure SSO

I have an application which I am trying to migrate to the App services. The authentication was windows auth before migration so I moved it to Azure SSO.
Background -
The application is registered within Azure to leverage single sign on
and we have a reply URL configured within the application and
redirect URI configured in Azure SSO for URL -
https://abc.customdomain.com
The app is hosted within App services and the Azure endpoint URL of
the app services is https://abc.azurewebsites.net
We have also setup a TXT record created within the custom Domain and
added this to App service to verify the ownership of the DNS.
The custom DNS https://abc.customdomain.com is configured and
pointing to the application gateway.
The application gateway is configured to point to the App service.
Issue
When I try testing the application the SSO works as expected but the moment it tries redirecting to the application after Sign on it breaks because of the incorrect redirect URL as the app services has the URL – https://abc.azurewebsites.net
After setting up a CNAME and pointing it to the App services the hosted site works, but we want to have the traffic flow from the Application gateway.

Migrate from msal angular to azure webapp authentication

I'm working on a web application deployed on an azure webapp authenticated with Azure AD.
It is mostly based on the angular template for ASP.Net Core. The backend hosts the frontend in a ClientApp directory.
For the authentication, the frontend works with the msal-angular plugin which on access redirects to the Azure AD authentication page. After login, the login page redirects back to the frontend, which catch the token, and makes all the calls to the backend with the token in the authorization bearer header.
The .Net Core backend is configured with :
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureActiveDirectory", options));
Finally, to make all these works, I have in the Azure AD app registration one entry for the backend and another for the frontend.
This works well, but we want to move away from that to use the Authentication directly on the webapp.
This way we could secure even more the application which would not even be downloaded if the user is not authenticated.
How do I manage to do that ?
Do I need to remove all authentication code from the backend and frontend ?
Do I still need 2 entries in the app registration on azure AD or one is now enough ?
How will I know which user is connected ? Actually I use the IHttpContextAccessor to get the UPN Claim.
Thanks for the help

Cannot set HTTP URI in redirect URI on Azure AD Web App

I'm implementing a Power BI Embedding solution into third party application which uses the same Active Directory as Power BI. However the application has URL with HTTP and not HTTPS.
Now, for getting the authentication token for embedding, I've created Azure AD Web App and I want to add Redirect URI for that application, but it is not allowing me because it is HTTP.
What can be the solution to get authentication token for Azure AD for embedding?
Thank you.
Apps that are registered for Microsoft identity platform has Restrictions on redirect URLs. The redirect URL for web apps and
services must begin with the scheme https, and all redirect URL values must share a single DNS domain. http://localhost is also supported as a redirect URL.
You can create self signed certificates for https domain (for test purpose).If your app runs in Production Environment, it should be signed by a
trusted certificate authority.Check here to know more.
Refer this post for : Trust a self signed cert from IIS

Resources