Microsoft.Web sites/config 'authsettingsV2' - Configure App Service app to use Azure AD login

[kgundraju]

Hi Team,

I am trying to add AAD authentication on one of the appservice, Usually in portal we have multiple options to pass the clientID, but when it comes to ARM/Bicep is it necessary to pass existing client or is there any way that this resource provider itself will create a clientID and creates the authentication.

[alex-frankel]

Converted this to a discussion as this is more general Q&A -- cc @brwilkinson as FYI

[slapointe]

Just to make sure, are you referring to this experience in the App Service Authentication UI ?

If so, the portal in some use cases does some extra steps on your behalf to ease your life. The resource provider usually supports having the information only, not creating resources in other Azure places.

As far as I know, you will need to provide your deployment with the required information. The AAD application needs to exist prior to the resource update.

There is something in the doc that indicates if the provisioning of the application was done by the portal or not, it is internal only and not something you can trigger yourself from a template.

isAutoProvisioned
Gets a value indicating whether the Azure AD configuration was auto-provisioned using 1st party tooling. This is an internal flag primarily intended to support the Azure Management Portal. Users should not read or write to this property.

Ref: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=bicep

Are you using PowerShell or Azure CLI to trigger your deployment? It could be a good place to create the app in AAD if it doesn't exist or retrieve it if it does, then you could pass that information to your deployment via parameters.

[kgundraju]

@slapointe Thank you for the information.

Along with the appservice/Functionapp one enterprise application is being created in Active Directory like below

using applicationID of the EA instead of ClientID is not preferable? because when I try adding appID or ObjectID of this Enterprise application I could see below error

Please suggest!

[slapointe]

Are you sure you are in the same tenant as your enterprise application? Is it your application or a SaaS from another company?

I am asking because If I pick the Application (client) Id from an enterprise application I created in AAD and paste it into the App Service form, it works for me.

[kgundraju]

I was actually using appID of appservice/functionApp managed Identity

Is this not a preferable approach?

Creation of app registration prior to this is mandatory?

[slapointe]

A managed identity is for your application to interact with other Azure resources like Key Vault, a storage account, etc. It is not meant for your users authentication. For this, as far as I know, you need an App Registration.

[kgundraju]

Thank you for the information! This helps a lot.

[brwilkinson]

@kgundraju did you get everything you needed from this discussion? Did you want to mark it as answered? Or else let us now if you have further queries?

[kgundraju]

yeah it helped, please mark it as answered.