Open in app

Sign in

Write

Sign in

Securing Applications with Azure Active Directory

Mahsa Hanifi
5 min readFeb 12, 2021
Photo by PhotoMIX Company from Pexels

If your application doesn’t have the traditional authentication flow, there is a way to protect daemon to daemon calls using the Azure Active directory. This post shows a step-by-step setup for securing your application in those scenarios.

Prerequisites

  • Azure subscription
  • Access to Azure Active Directory in the subscription

To set up the client credential flow, we need to start from the API side. In this post, we are focusing on the setup in ASP.NET.

API App Registration

  • In Azure Portal, navigate to Active Directory and click on “App registrations” then click on “New Registration”
New Registration
  • On the new page on the “Name” section, you can enter a meaningful name like API, leave the supported account to be on the “ Accounts in this organization directory only(Single tenant)” and click on “Register”.
  • On the left bar, select “Expose an API” then click on “Set”.
Expose an API

A suggested value will be generated which can be modified by the user. Keep that and click “Save”.

Generated URI to get access to an API
  • On the left, select “Manifest”, find the “appRoles” and add the following json in it:

At this point, the settings for the API app registration in Azure Active Directory is done.

Now let’s go through the settings that are required for an ASP.NET Core app.

Add the Secrets in the code

The following values need to be added into your API secrets, “secrets.json” file.

Get the ClientId and TenantId values from the “Overview” page of the app registration that you just created. The “Instance” value is a constant.

Now in the “Startup” Class, “ConfigureServices” method add the following authentication:

Then in the “Configuration” method, we should make sure that the “/health” endpoint remains unprotected. All other controllers should be protected. Also, If you use “Swagger” you need to make sure to leave it outside of the protection. Here is what needs to be added:

That’s it for the API side of your app. Let’s dive into the UI setup.

UI App Registration

Like what we did to register the API app, we follow the same step to create a new app registration.

  • In Azure Portal, navigate to Active Directory and click on “App registrations”
  • Then click on “New registration”
  • On the new page on the “Name” section, you can enter a meaningful name like: “ui”, leave the supported account to be on the “Accounts in this organization directory only(Single tenant)” and click on “Register”.
  • On the left side, click on “Certificates & Secrets”. Then create a new client secret.

You will be asked to provide a “Description” and an expiration. The expiration following your organization policies. Just note that if you select anything other than “Never” this client secret needs to be updated.

After creating the client secret, keep the value somewhere safe so that later on you can add it into the UI app secrets, “secrets.json” file.

  • On the left side menu, find “API permissions”.
  • Click on “Add a permission” to give permission to the API app registration.
  • In the “Request API permissions”, select “My API’s”.
  • From the list that shows up, select the API registration that you created before. In the API section, we called it “api”.

You should be able to view the “appRole” that you added in the API app registration. Select that and “Add permissions”.

  • After adding the permission, the status will show as “Not granted for …” and the option “Grant admin consent for …” will be grayed out. It means that you don’t have the permission to grant access to this API permission.

Now you need to contact your organization admins to get access. To get the name/info of your org admins you can go into the main page of the Azure Active Directory of your subscription. Select the “Roles and administrators” option from the list. Look for the “Global administrator” under that list. Click on that and you will be able to see the list of your organization admins who can help you to get access to your application.

After getting access the UI app registration is ready.

Add the Secrets in the code

The following values need to be added into your UI secrets, “secrets.json” file.

Like the API secret settings, you can find the ClientId and TenantId values in the “Overview” page inside the UI app registration.

Note: “secrets.json” is used for development. When you are pushing the app on Azure, make sure to add the mentioned config values in both UI and API app registration in the App Services’ configurations and use Azure Key Vault to keep your secrets.

Inside the UI code base, use the MSAL SDK for .NET, and implement an HTTP Message Handler.

Add the following in the “Startup” class, the “ConfigureServices” method:

You need to implement the “AuthenticationHttpMessageHandler” class. This class will request an access token from Azure Active Directory app registration, authenticates the header value, and returns the message.

First, You need to create a method to create a confidential client application using the app registration clientId and the client secret. This method uses the info to send an async call and fetch the access token. Then the result is used to create an authentication header value. Finally, request will be sent with authorization header value.

There are so many code samples on how to implement the message handler class that you can follow. Here is a sample sudo implementation:

You are all set!

Azure
Azure Active Directory
Security

--

--

Mahsa Hanifi

Written by Mahsa Hanifi

15 Followers

Software Engineer at Microsoft. Live and work in Redmond, Washington.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams