Getting Started with Azure Application ID and Azure AD

To get started with Azure Application ID and Azure AD, you'll first need to create an Azure AD tenant. This is the foundation of your Azure AD infrastructure.

An Azure AD tenant is essentially a container that holds all your organization's user and group information. You can create one for free.

Azure AD is an identity and access management service that provides a centralized location for managing user identities and access to your Azure resources.

You'll need to register an application in Azure AD to obtain an Azure Application ID. This is a unique identifier for your application.

You can select ‘Microsoft’ as your Identity provider from the drop-down, and the rest of the settings can remain as default. Make sure to read through each configuration option to understand what they do.

Before clicking ‘Add,’ ensure that Authentication is set to Require authentication. If you set it to Allow unauthenticated access, users won’t be prompted or required to sign in.

To create a client secret for your new application, you'll need to follow these steps. First, navigate to the Certificates & secrets page by selecting Manage on the left side menu and then clicking on Certificates & secrets.

Under the Client secrets tab, click on New client secret to initiate the process. You'll then be prompted to provide a Description for the new secret and select the period after which the secret expires.

Select the desired expiration period and click Add to create the client secret. You'll be able to copy the secret value, but be warned that it won't be accessible after you proceed from here, so make sure to save it somewhere safe for later use.

Azure AD Service Principals are a type of security principal that represents an application requiring authorization to a specific Azure resource. They are used to authenticate against the Azure App Service.

Service principals are more secure than regular service accounts because they have a more limited scope of access. This is in contrast to regular service accounts, which often have broad permissions.

To set up a service principal, you need to configure a security principle in Azure that can authenticate against the Azure App Service. There are two kinds of security principles: user principles, which represent active directory users, and service principles, representing an application requiring authorization to a specific Azure resource.

Here are some key differences between user and service principles:

Service principals are often used to authenticate against the Azure App Service, especially when using Postman to send requests to the service. To do this, you need to configure a security principle in Azure that can authenticate against the service.

By using service principals, you can ensure that your application has the necessary permissions to access the Azure App Service, while also limiting the scope of access to prevent unauthorized access.

Select ‘Microsoft’ as your Identity provider from the drop-down. The rest of the settings can remain as default, but it's worthwhile to read through each configuration option to understand what they do.

Before clicking ‘Add,’ make sure that Authentication is set to Require authentication. If you set it to Allow unauthenticated access, users won’t be prompted or required to sign in.

You should only see the permissions consent dialog the first time you log onto your web app (or if you add additional permissions to the web app). All it asks is for you to consent to the permissions granted in the step.

Click ‘Accept’ and sign in to access your web app. To access your web app's endpoints using Postman, you need to configure a security principle in Azure that can authenticate against the Azure App Service.

This involves setting up a simple get endpoint on your web app that you can access using Postman. To do this, you need to create a new file called DemoController.cs and add a new controller to your Startup.cs.

Once you have added all of the above code to your app, start it up on localhost. You can then configure Postman to send a GET request to the sayhello endpoint. Since authentication is taken care of on your App Service, you should be able to access this endpoint and see Hello World! when running locally with no problems.

However, after publishing, you will receive a 401 Unauthorized response when trying to access the same endpoint using Postman. To resolve this, you need to request an access token using Postman.

This involves creating a new POST request and configuring the request body as form data with the client ID, client secret, grant type, and resource. You can then send the POST request to the token endpoint and receive a bearer access token.

Before trying to access the sayhello endpoint, you need to add the Application ID URI from Postman to the ‘Allowed token audiences’ in your Azure App Service settings. You can then copy and paste the access token into the ‘Current Token’ section in Postman.

To connect an Identity Provider (IDP) to Azure, you need to log in to your Harmony SASE Management Platform and navigate to Settings, then Identity Providers.

You can add a new provider by selecting + Add Provider, and then choose Microsoft Azure AD. Fill in the required information, including your Microsoft Azure AD Domain, Client ID, and Client Secret.

To set up authentication, select Microsoft as your Identity provider and click 'Add Identity Provider.' Make sure Authentication is set to Require authentication to prompt users to sign in.

Here are the basic steps to follow:

Configuring IDP connection is a straightforward process that requires some basic information about your Microsoft Azure AD setup. To get started, log in to your Harmony SASE Management Platform and navigate to Settings, then IdentityProviders.

The first step is to select + Add Provider, which will prompt you to choose Microsoft Azure AD as your provider. This is a crucial step, as it enables the connection between your Harmony SASE platform and your Azure AD.

Next, you'll need to fill in some specific details about your Azure AD setup. This includes your Microsoft Azure AD Domain, which is the name of your domain (for example, harmonysase.com). You can also add Domain Aliases if necessary.

After entering your domain information, you'll need to provide your Client ID and Client Secret. These are unique identifiers that allow your Harmony SASE platform to authenticate with your Azure AD.

Once you've filled in all the required information, click Save to complete the IDP connection configuration.

AAD authentication is a zero-code solution for authentication that acts as a gateway in front of your Azure App Service's site/API. It's easy to set up and simple to maintain, with everything managed through the Azure portal.

To implement AAD authentication, you can follow the steps outlined in Example 3, where you navigate to App Service Settings->Authentication (NOT classic) and click on 'Add Identity Provider.' Select 'Microsoft' as your Identity provider from the drop-down.

Using AAD authentication has several advantages, including ease of setup and maintenance. It's also cost-effective and feasible, as you can leverage existing authentication services like Microsoft's Azure Active Directory (AAD).

To authenticate against your Azure App Service, you need to add an identity provider. In Example 3, this is done by navigating to App Service Settings->Authentication (NOT classic) and clicking on 'Add Identity Provider.' Select 'Microsoft' as your Identity provider from the drop-down.

Role-based authorization can be implemented using AAD authentication, but it requires some code configuration. As mentioned in Example 2, this can be done using third-party middleware like MaximRouiller's easy auth middleware or Microsoft.Identity.Web package.

Here's a summary of the advantages of using AAD authentication:

AAD authentication is a powerful tool for authenticating users and authorizing access to your Azure App Service. By following the steps outlined in this article and using the right tools, you can easily implement AAD authentication and role-based authorization in your application.