Configuration Authentication with Azure AD for Azure App Service with ARM template

1
votes

I am trying to setup an azure app service that uses Azure AD as Authentication provider and lock down the access to AD only via ARM template.

Basically from "Allow Anoymous requests (no action)"

Action to take when request is not authenticated

to "Log in with Azure Active Directory"

Action to take when request is not authenticated

I figured it must be one of the property under properties -> siteAuthSettings, but it doesnt seem to work. Here is my template:

{
  "apiVersion": "2015-04-01",
  "name": "web",
  "type": "config",
  "dependsOn": [
    "[resourceId('Microsoft.Web/sites', parameters('webAppName'))]"
  ],
  "properties": {
    "siteAuthEnabled": true,
    "siteAuthSettings": {
      "enabled": true,
      "httpApiPrefixPath": null,
      "unauthenticatedClientAction": 0,
      "tokenStoreEnabled": null,
      "allowedExternalRedirectUrls": null,
      "defaultProvider": 0,
      "clientId": "[parameters('clientId')]",
      "clientSecret": null,
      "issuer": "[parameters('issuerUrl')]",
      "allowedAudiences": null,
      "additionalLoginParams": null,
      "isAadAutoProvisioned": false,
      "aadClientId": "[parameters('clientId')]",
      "openIdIssuer": "[parameters('issuerUrl')]",
      "googleClientId": null,
      "googleClientSecret": null,
      "googleOAuthScopes": null,
      "facebookAppId": null,
      "facebookAppSecret": null,
      "facebookOAuthScopes": null,
      "twitterConsumerKey": null,
      "twitterConsumerSecret": null,
      "microsoftAccountClientId": null,
      "microsoftAccountClientSecret": null,
      "microsoftAccountOAuthScopes": null
    }

Can't seem to figure it out, any suggestions are welcome! ????

1
azureauthenticationazure-web-app-serviceazure-resource-manager

1 Answers

1
votes

Your template looks quite ok. This example works fine for my apps:

{
                "apiVersion": "2015-08-01",
                "name": "web",
                "type": "config",
                "dependsOn": [
                    "[resourceId('Microsoft.Web/Sites', parameters('webAppName'))]"
                ],
                "properties": {
                    "siteAuthEnabled": "[parameters('enableAadAuthentication')]",
                    "siteAuthSettings": {
                      "clientId": "[parameters('aadClientId')]",
                      "issuer": "[parameters('aadIssuerUrl')]",
                      "isAadAutoProvisioned": false
                    }
                }
            }

The only difference I can see is "apiVersion": "2015-08-01", so you should double check that and your actual parameters. You issuerUrl should look something like this: https://login.microsoftonline.com/mytenant.onmicrosoft.com