Configuring Authorization JSON Files for Azure App Service

Configuring authorization.json files for Azure App Service is a crucial step in securing your web application. You can store the authorization settings in a JSON file named authorization.json in the root of your project.

The authorization.json file contains a key called "AzureActiveDirectory", which specifies the Azure Active Directory settings for your application. This key is used to configure authentication with Azure Active Directory.

To configure Azure Active Directory settings, you need to provide the tenant ID, client ID, and client secret. The tenant ID is a unique identifier for your Azure Active Directory tenant, and the client ID is the application ID of your Azure App Service. The client secret is a secret key that you need to keep secure.

The authorization.json file can be configured to use different authentication providers, such as Azure Active Directory, Facebook, or Google. Each provider requires different settings and configuration.

To decode the client principal header, you need to look at the X-MS-CLIENT-PRINCIPAL header, which contains the full set of available claims as Base64 encoded JSON.

The decoded payload is structured as follows:

To process this header, your app needs to decode the payload and iterate through the claims array to find the claims of interest.

In Azure App Service, you can configure additional checks to determine which requests are allowed to access your application. These checks include allowing requests only from the application itself, specific client applications, or any application.

You can customize these settings now or adjust them later from the main Authentication screen. To configure additional checks, you can choose from three options: allow requests only from the application itself, allow requests from specific client applications, or allow requests from any application.

The Identity requirement setting allows you to choose whether to allow requests from any identity, specific identities, or only from the issuer tenant.

To restrict access further, you can use a built-in authorization policy. This policy can be configured through the App Service authentication V2 API, and it includes a defaultAuthorizationPolicy object that can be used to limit access.

The defaultAuthorizationPolicy object has several properties, including allowedApplications, allowedPrincipals, and identities. The allowedApplications property is an allowlist of string application client IDs, and the allowedPrincipals property is a grouping of checks that determine if the principal represented by the incoming request may access the app.

Here are the properties of the defaultAuthorizationPolicy object:

Additionally, some checks can be configured through an application setting, regardless of the API version being used. The WEBSITE_AUTH_AAD_ALLOWED_TENANTS application setting can be configured with a comma-separated list of up to 10 tenant IDs to require that the incoming token is from one of the specified tenants.

To configure Azure App Service, you'll need to create an authorization.json file in the root directory of your repository. This file contains configuration settings for authentication and authorization.

The authorization.json file must be placed in the root directory of your repository, not in a subdirectory. This ensures that Azure App Service can find and load the file correctly.

In the authorization.json file, you can specify the authentication providers you want to use, such as Azure Active Directory or GitHub. By default, Azure App Service allows all authentication providers, but you can restrict access to specific providers if needed.

When choosing an app registration, you have two options: create a new one or use an existing registration.

You can create a new app registration automatically, unless you need to create one separately. This is the recommended option, as you can customize the registration later in the Microsoft Entra admin center.

There are certain situations where you may need to use an existing app registration, such as if you're working with a government cloud or if you need to create a registration separately.

Here are some options for creating a new app registration:

You can change the name of the registration or the supported account types later if you want.

Configure Additional Checks is a crucial aspect of App Service Configuration. This feature determines which requests are allowed to access your application.

You can customize this behavior now or adjust these settings later from the main Authentication screen by choosing Edit next to Authentication settings.

There are three options to allow requests from specific applications: Allow requests only from this application itself, Allow requests from specific client applications, and Allow requests from any application (Not recommended).

For Identity requirement, you have three options: Allow requests from any identity, Allow requests from specific identities, and Allow requests from specific tenants.

Here are the options for handling requests:

Your app may still need to make additional authorization decisions in code. For more information, see Use a built-in authorization policy.

Security is a top priority when it comes to Azure App Service. To ensure that only authorized applications can access your App Service, you can configure a daemon client application to use its own identity to request an access token.

This involves registering the client application in Microsoft Entra, creating a client secret, and then using the client ID and client secret to request an access token. The resulting access token can then be presented to the target App Service using the standard OAuth 2.0 Authorization header.

To further restrict access, you can define an App Role in the manifest of the app registration representing the App Service or Function app you want to protect. This allows you to specify which client applications are authorized to access the App Service.

Here are the allowedApplications and allowedPrincipals properties that can be configured in the defaultAuthorizationPolicy object:

By configuring these properties, you can ensure that only authorized applications can access your App Service, providing an additional layer of security and control.

Decoding the client principal header is a crucial step in processing the claims contained within. This process involves decoding the X-MS-CLIENT-PRINCIPAL header, which contains the full set of available claims as Base64 encoded JSON.

The decoded payload is structured in a specific way, with the following properties: auth_typ, claims, typ, val, name_typ, and role_typ.

The claims property is an array of objects, each containing typ and val properties. These properties represent the available claims, with typ being the name of the claim and val being its value.

To process this header, your app needs to iterate through the claims array to find the claims of interest. This might involve converting them into a representation used by the app's language framework.

Here's a breakdown of the properties found in the decoded payload:

You can use built-in checks to limit access to your app, which is especially useful for common scenarios. This approach is often more efficient than implementing custom authorization logic in your application code.

The Microsoft identity platform provides built-in checks that you can use to restrict access. These checks can be configured via Azure Resource Manager templates or the REST API.

To enable built-in checks, you'll need to configure the defaultAuthorizationPolicy object within the API object. This object groups requirements that must be met in order to access the app.

A defaultAuthorizationPolicy object includes a logical AND over each of its configured properties, such as allowedApplications and allowedPrincipals. If both are configured, the incoming request must satisfy both requirements to be accepted.

Here's a breakdown of the defaultAuthorizationPolicy object's properties:

Additionally, you can configure some checks through an application setting, regardless of the API version being used. The WEBSITE_AUTH_AAD_ALLOWED_TENANTS application setting can be configured with a comma-separated list of up to 10 tenant IDs to require that the incoming token is from one of the specified tenants.