I have an Event Grid which is used for publishing events. I have a Web-Hook based subscriber which will be listening to the event. The webhook is hosted on Azure App Service and is protected by an AAD App.
In this scenario will Event Grid be able to publish an event to a Web endpoint which is protected by AAD?
My event grid topic and the web app are in the same subscription.
According to your description, you want to subscribe a topic of Event Grid via webhook hosted on Azure App Service which be protected by Azure AD.
Per my experience, there are two ways to realize it.
Due to access an url endpoint protected by AAD that be required an access token via AAD authentication, but there is no ablity to do the operation in programming on Event Grid. So as #Roman Kiss said, a workaround way is to create a proxy-like service to get the authorization token to access your webhook, such as using Azure Function App.
However, the other way is to change your app service code to allow anonymous accessing. For example, adding [AllowAnonymous] on your controller method if using ASP.NET, please see the Azure Sample code.
hope it helps.
Related
I have a WPF desktop using the WebView2 control, and it works quite nicely. The problem I am trying to solve is handling the authentication for users who find the repeated prompts when accessing our SharePoint Online (SPO) site within the WebView2 control annoying. I am not looking to access Graph API or the SPO API, just allow the user to navigate to our SPO site without login prompts. Our on-prem AD synchronizes with Azure AD.
A couple of applications I've developed:
An Office add-in using SSO with delegated permission and signed off by our admin so that users do not log in
A console app that has application permission to update all calendars in our organization via the EWS API, protected with Azure AD certificate authorization, although it initially used a secret
That said, how can I set up the app authorization so that my desktop WPF app can allow the users to access SPO without prompts?
According to your scenario, you can try the following things in your web view control such that you will no longer receive authentication prompts for Sharepoint online login.
• You trying to access SPO site within web view control, so you need to allow authentication for both the http clients, i.e., Windows store clients(classic)[System.Net.Http.HttpClient] and HTTP clients[Windows.Web.Http.HttpClient] connected to web view controls. You can do so by adding the new one in your code as below: -
var filter = new HttpBaseProtocolFilter();
filter.ServerCredential = new Windows.Security.Credentials.PasswordCredential("http://website","login","password");
Windows.Web.Http.HttpClient client2 = new
Windows.Web.Http.HttpClient(filter);
var response = await client2.GetAsync(new Uri("http://website"));
WebView.Source = new Uri("http://website");
• In this code, change the “login” and “password” to the credentials you want to use to login in the SPO site. Also, change the “http://website” to the SPO website and set the ‘enterpriseAuthentication’ parameter to off.
• Also, you can use the ‘’TodoListService” Service app for maintaining an in-memory collection of to-do-items for each authenticated user for login purposes.
Please refer the below links for more reference: -
providing domain/user credentials to webview control
https://learn.microsoft.com/en-us/previous-versions/windows/hh465283(v=win.10)?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-native-aspnetcore-v2/1-desktop-app-calls-web-api/
This way, hopefully the SPO site can be accessed through desktop WPF app without authentication prompts.
Thanking you,
My demo app uses Azure AD B2C. Since it's a B2C, new users can create their own account. When a new user joins, I want:
to event grid to start a Logic app
the logic app will grab some of the data update the CosmosDb containers
send an email to the new user
deliver a message that any subscriber can read
I'm stuck in the beginning because I can't find anything that it's related to Azure Active Directory. I can't find a tutorial or any information related to tha.
My question is to know whether event grid can even be used to react to users being created in Azure AD?
Thanks for helping.
I don't think this trigger can implement your requirement. As we can see it requires us to choose Resource Type, Resource Name... But users do not belong to resources, resources refer to storage, VM, keyvault and so on.
So for your question about
whether event grid can even be used to react to users being created in Azure AD
I think it can't be used to react to users being created in Azure AD.
I am trying to set up an authenticated webhook call from an Azure Event Grid Domain subscription to a web app service in the same tenant. I am able to do everything up to a certain point which is that I am trying to tie the authentication to a specific app role in the subscribing app. Currently, the authentication works, but I cannot seem to figure out how to include a specific role in the token that gets sent to the subscribing endpoint. It may be that it's more of a generic question on setting up an enterprise app registration (which event grid uses) with a configurable role for app registrations. My issue is that I know how to do it when there's an app registration, but in this case I only have an enterprise app.
I have followed the documentation, and this article seems to try to do the same thing, but I don't want to do it in powershell as we have an Identity-responsible who is going to do the actual work as well as me wanting to understand what happens behind the scenes.
https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery
Does anybody know how to set up the event grid webhook authentication so it includes a specific role (most probably an app role defined in the manifest of the subscribing app's app registration)?
You are following correct way of configuring event subscription.
The role which you wants to add in application can be done as below -
Azure Portal>>All Services>>Subscription>>Select Subscription>>IAM Role>>Add Role assignment>>1.Select the role which he need 2. Assign access to Azure AD user or Service Principal 3. Select the application >> Save.
or
If need to assign some customise role you can create the custom role as below -
https://learn.microsoft.com/bs-cyrl-ba/azure/role-based-access-control/custom-roles?toc=%2Fazure%2Fvirtual-network%2Ftoc.json
Azure Active Directory to secure the connection between your Event Subscription and your webhook endpoint.
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/event-grid/secure-webhook-delivery.md
I have a server-side Blazor app running on Azure AppService protected by AAD auth. Authorized AD users (admins) are able to access and use the app.
What I'm want to achieve is to allow other users to access only a specific page of the Blazor app. Users would access the app from WPF app, themselves not necessarily being AD users, but AD application user (daemon app). WPF app gets the token (v2.0) and opens the page in a browser with the Authorization header (bearer token), however Blazor doesn't not interpret the auth header in request and threats the user as unauthenticated.
App registrations should have been setup properly as I'm able to access API when using this approach.
It this scenario possible? If so, any ideas what I could be doing wrong?
This scenario sounds like it is going quite a lot against general recommendations.
You really should not be doing "daemon app" authentication from a WPF app as it is not a confidential client application (and neither a daemon app). It runs on a user device, exposing the application's credential to any user.
Authentication flows that use secrets should never be used from a user device.
Secondly, a Blazor application is not generally one that can accept requests from an application.
Your WPF application should be calling an API, not a UI application.
What you should instead have is:
WPF app authenticates the user and acquires a token on their behalf to your API
WPF app calls the API with the access token
API validates the access token, authorizes access for the user and app, returns data
The Blazor app could be using this same API in its front-end code in a similar manner.
But I don't think you are going to be able to put it in the middle of your client app and the API.
I have been able to set up the single tenant SSO but don't really know what steps to follow on (Canvas or Azure side) to enable multi-tenant.
Canvas LMS is hosted on my own website.
You can follow the steps below to convert your application into a multi-tenant app.
In Azure Portal, update your application registration to be multi-tenant. You can make your registration multi-tenant by finding the “Multi-Tenanted” switch on the properties page of your application registration in the Azure portal and setting it to “Yes”.
Update your code to send requests to the /common endpoint: https://login.microsoftonline.com/common
Update your code to handle multiple issuer values
Understand user and admin consent and make appropriate code changes
More details about multi-tenant application, please refer to the following article.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview