Authentication is a standard when it comes to manage security and access to your business applications. And Azure provides numerous ways to handle that security layer. In this blog post, I’m going to talk about integrated authentication for app services (easy auth) in Azure. I’ll explain what it is, what are the advantages and disadvantages compared to authentication managed in code, and how to implement it on an app service. Let’s get started 😄
What is easy auth ?
Easy auth is a feature of Azure App Service that provides built-in authentication and authorization capabilities for your web app, RESTful API, mobile back end, or Azure Functions. It allows you to sign in users with minimal or no code by using federated identity providers such as Azure AD, Facebook, Google, Twitter, GitHub, or any OpenID Connect provider.
Basically, easy auth works like a fully azure managed auth layer plugged on top of your application. It intercepts all HTTP requests coming into your app and verifies that each request is authenticated before being transfered to your actual application code.
Why use easy auth ?
Using easy auth can save you time and effort by simplifying authentication and authorization for your app. You don’t need to write any code to integrate with multiple login providers or handle user sessions. You also don’t need to worry about following industry best practices and standards or keeping your implementation up to date with security updates.
Some of the benefits of using easy auth are:
- Easy configuration through the Azure portal and app settings
- No SDKs, specific languages, or changes to application code required
- Support for several identity providers
- Automatic redirection of HTTP requests to HTTPS
- Access to user information through HTTP headers or environment variables
- Ability to restrict access to users in your organization or specific roles
- Ability to connect to backend services as the app using managed identity or Key Vault
What are the drawbacks of using easy auth ?
Easy auth is not a one-size-fits-all solution for authentication and authorization. Depending on your scenario and requirements, you may need more flexibility and control over your authentication logic than what easy auth provides. Some of the limitations of using easy auth are:
- Limited customization of login UI and user experience
- Limited support for advanced scenarios such as multi-factor authentication (MFA), single sign-out (SSO), conditional access policies (CAP), etc.
- Dependency on App Service platform availability and performance
- Potential compatibility issues with some web frameworks or libraries
How to implement easy auth on an app service ?
1. Register your web app with Azure AD
The first step is to register your web app with Azure AD so that it can use it as an identity provider. To do this:
- Create and publish a web app on App Service if you don’t have one already. You can use any language or framework you prefer.
- In the Azure portal menu, select Resource groups, or search for and select Resource groups from any page.
- Select the resource group that contains your web app.
- Select your web app from the list of resources.
- In the left navigation pane of your web app page, select Authentication under Settings.
- Select Add identity provider
- Select “Microsoft Identity provider”, then “Workforce” in Tenant type.
- In App registration, select “Create new app registration”, it will create a new App registration in your Azure AD.
- Select the name of the app, which can be the same as your app service.
- Depending of the strategy you choose, select the supported account type. Here we just want to authorize access to our Azure AD customers only, so we select “Current tenant - Single tenant”.
- In App Service Auth settings, select “Require authentication”, then “Http 302 Found redirect” to redirect users to a forbidden page if they don’t have access to your App. Then Select “Redirect to MS”.
- Optionally check the Token Store box if you want store tokens issued by identity provider securely within App Service platform itself so they can be accessed later by backend services such as Key Vault etc.; otherwise leave it Off if you don’t need store tokens issued by identity provider within App Service platform itself.
- Leave MS Graph permissions to default, then select Add at the bottom of the page.
- Now your app is configured ! You can see the AD application related yo your app service in identity provider. By clicking there, you’ll be able to configure more precisely which customers can access to your app etc.
2. Test your web app
The final step is to test your web app and see if it works with Easy Auth. By default, you must be logged in a Microsoft account and this account must be part of your AD tenant, otherwise you’ll be asked to login.
To do this:
- Browse to your web app’s URL (for example,
https://mywebapp.azurewebsites.net). You should be redirected to a sign-in page where you can enter credentials from an account in your organization.
After signing in successfully, you should be able to access your webapp.
And that’s it ! Here is how you can setup easily a basic auth using MS identity provider, without writing any code 😊
Of course you can go even further by tweaking settings in the Azure AD app in order to allow access to a limited group of customer using AD groups etc.
What if I need to access tokens in my app code ?
As mentionned before, if you ever need to access tokens in your app code, they are available in the token store of your application.
- For an API, those are injected in the http headers of each requests. For example:
X-MS-TOKEN-AAD-ID-TOKEN, X-MS-TOKEN-AAD-ACCESS-TOKENetc - For a web app running on client side (Angular app for example), you can access tokens using the following endpoint: https://myappurl/.auth/me
GG, you have successfully enabled easy auth on your app service using Azure AD as the identity provider 🔥
Good luck & happy learning 👨💻❤️