Application Security Groups, Deployments and YAML, Exams of Microsoft AZ-304, Microsoft AZ-304 Certifications

Enabling AD integration – Building Application Security

by Katie Campbell

To enable AD integration, we must first set a login redirect URI for our new website on the service principal we created earlier, and then configure the web app to use that principal:

  1. Navigate to the Azure portal at https://portal.azure.com.
  2. In the top search bar, search for and select Azure Active Directory.
  3. On the left-hand menu, click App registrations.
  4. Select the SecureWebApp registration.
  5. On the left-hand menu, click Authentication.
  6. Click + Add a Platform.
  7. In the Configure Platforms window that appears, choose Web.
  8. Paste in the URL from your web app into Redirect URIs and add the following to it: /.auth/login/aad/callback. In this example, the URI would be https://packtpub-secureapp.azurewebsites.net/.auth/login/aad/callback.
  9. Click Configure.
  10. Scroll down the page to Implicit grant, tick the ID tokens box, then click Save. The page should look like this:Figure 6.16 – Setting app authentication

Figure 6.16 – Setting app authentication

  1. We now need to configure your app to use the app registration – in the top search bar, search for and select App Services.
  2. Select your web app – for example, packtpub-secureapp.
  3. On the left-hand menu, click Authentication/Authorization.
  4. Set App Service Authentication to On.
  5. Under Action to take when a request is not authenticated, choose Log in with Azure Active Directory.
  6. Under Authentication Providers, click Active Directory.
  7. On the next page, set the first Management mode option toExpress, and the second Management mode option to Select Existing AD App.
  8. Click Azure AD App, and select the app registration we created in Creating the service principal in the Working with Security Principals section.
  9. Click OK. The page should look like the following. Click Save.

Figure 6.17 – Setting authentication

Wait a few minutes for the changes to take effect, then browse to the web app; for example, https://packtpub-secureapp.azurewebsites.net. You will now be prompted to log in with your Active Directory account, and once authenticated, you will be directed back to your application. If you are not prompted to sign in, open a private browsing window instead, as your credentials may already be cached in the browser.

As you can see, integrating your application into your Azure Active Directory tenant is very easy and provides a secure and seamless login experience for your users.

The first half of this section involved using a security principal to access the key vault. service principals can be used to access many different services; however, they do rely on a client ID and secret being generated and shared.

Next, we will look at an alternative and more secure method of providing authenticated access to many Azure resources, called managed identities.