You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-apps/authentication-entra.md
+52-23Lines changed: 52 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: container-apps
5
5
author: craigshoemaker
6
6
ms.service: azure-container-apps
7
7
ms.topic: how-to
8
-
ms.date: 04/20/2022
8
+
ms.date: 12/17/2024
9
9
ms.author: cshoe
10
10
---
11
11
@@ -52,27 +52,54 @@ First, you create your app registration. As you do so, collect the following inf
52
52
53
53
To register the app, perform the following steps:
54
54
55
-
1. Sign in to the [Azure portal], search for and select **Container Apps**, and then select your app. Note your app's **URL**. You use it to configure your Microsoft Entra app registration.
56
-
1. From the portal menu, select **Microsoft Entra ID**, then go to the **App registrations** tab and select **New registration**.
57
-
1. In the **Register an application** page, enter a **Name** for your app registration.
58
-
1. In **Redirect URI**, select **Web** and type `<app-url>/.auth/login/aad/callback`. For example, `https://<hostname>.azurecontainerapps.io/.auth/login/aad/callback`.
59
-
1. Select **Register**.
60
-
1. After the app registration is created, copy the **Application (client) ID** and the **Directory (tenant) ID** for later.
61
-
1. Select **Authentication**. Under **Implicit grant and hybrid flows**, enable **ID tokens** to allow OpenID Connect user sign-ins from Container Apps. Select **Save**.
62
-
1. (Optional) Select **Branding**. In **Home page URL**, enter the URL of your container app and select **Save**.
63
-
1. Select **Expose an API**, and select **Set** next to *Application ID URI*. The ID value uniquely identifies your application when it's used as a resource, which allows requested tokens to grant access. The value is also used as a prefix for scopes you create.
64
-
65
-
For a single-tenant app, you can use the default value, which is in the form `api://<application-client-id>`. You can also specify a more readable URI like `https://contoso.com/api` based on one of the verified domains for your tenant. For a multitenant app, you must provide a custom URI. To learn more about accepted formats for App ID URIs, see the [app registrations best practices reference](../active-directory/develop/security-best-practices-for-app-registration.md#application-id-uri).
66
-
67
-
The value is automatically saved.
68
-
69
-
1. Select **Add a scope**.
70
-
1. In **Add a scope**, the **Application ID URI** is the value you set in a previous step. Select **Save and continue**.
71
-
1. In **Scope name**, enter *user_impersonation*.
72
-
1. In the text boxes, enter the consent scope name and description you want users to see on the consent page. For example, enter *Access <application-name>*.
73
-
1. Select **Add scope**.
74
-
1. (Optional) To create a client secret, select **Certificates & secrets** > **Client secrets** > **New client secret**. Enter a description and expiration and select **Add**. Copy the client secret value shown on the page as the site won't display it to you again.
75
-
1. (Optional) To add multiple **Reply URLs**, select **Authentication**.
55
+
1. Sign in to the [Azure portal].
56
+
1. Search for and select **Container Apps**, and then select your app. In the *Overview* page, note your app's **Application Url**. You use it to configure your Microsoft Entra app registration.
57
+
1. Select **Home** to return to the portal main menu. Search for and select **Microsoft Entra ID**.
58
+
1. In the *Overview* page, select **Add**, then select **App registration**.
59
+
1. In the *Register an application* page, enter a **Name** for your app registration.
60
+
1. In *Redirect URI*, select **Web** and enter the following. Replace `\<APP_URL\>` with the application URL you noted previously.
61
+
62
+
`<APP_URL>/.auth/login/aad/callback`.
63
+
64
+
For example: `https://<CONTAINER_APP_NAME>.<HOSTNAME>.<LOCATION>.azurecontainerapps.io/.auth/login/aad/callback`.
65
+
66
+
1. In **Implicit grant and hybrid flows**, enable **ID tokens** to allow OpenID Connect user sign-ins from Container Apps.
67
+
1. Select **Register**.
68
+
1. Browse to the new app registration.
69
+
1. In the *Overview* page, copy the **Application (client) ID** and the **Directory (tenant) ID** for later.
70
+
1. (Optional) If you did not add the redirect URI to the app registration previously, you can do so now.
71
+
1. In **Managed**, select **Authentication**.
72
+
1. In the *Authentication* page, in *Platform configurations*, select **Add a platform**.
73
+
1. In *Configure platforms*, select **Web**.
74
+
1. In *Configure Web*, in **Redirect URIs**, enter the following. Replace `\<APP_URL\>` with the application URL you noted previously.
75
+
76
+
`<APP_URL>/.auth/login/aad/callback`.
77
+
78
+
For example: `https://<CONTAINER_APP_NAME>.<HOSTNAME>.<LOCATION>.azurecontainerapps.io/.auth/login/aad/callback`.
79
+
80
+
1. Select **Configure**.
81
+
1. (Optional) In *Manage*, select **Branding & properties**. In **Home page URL**, enter the URL of your container app and select **Save**.
82
+
1. In *Manage*, select **Expose an API**.
83
+
1. Select **Add** next to *Application ID URI*.
84
+
85
+
The **Application ID URI** uniquely identifies your application when it's used as a resource, which allows requested tokens to grant access. The value is also used as a prefix for scopes you create.
86
+
87
+
For a single-tenant app, you can use the default value, which is in the form `api://<application-client-id>`. You can also specify a more readable URI like `https://contoso.com/api` based on one of the verified domains for your tenant. For a multitenant app, you must provide a custom URI. To learn more about accepted formats for App ID URIs, see the [app registrations best practices reference](../active-directory/develop/security-best-practices-for-app-registration.md#application-id-uri).
88
+
89
+
The value is automatically saved.
90
+
91
+
1. Select **Add a scope**.
92
+
1. In **Add a scope**, the **Application ID URI** is the value you set in a previous step.
93
+
1. Select **Save and continue**.
94
+
1. In **Scope name**, enter *user_impersonation*.
95
+
1. Enter the **Admin consent display name** and **Admin consent description** you want admins to see on the consent page. An example consent display name is *Access <application-name>*.
96
+
1. Select **Add scope**.
97
+
1. In *Manage*, select **Certificates & secrets**.
98
+
1. In the *Certificates & secrets* page, select **Client secrets**.
99
+
1. Select **New client secret**.
100
+
1. Enter a **Description** and select when the secret **Expires**.
101
+
1. Select **Add**.
102
+
1. Copy the client secret value shown on the page as the site won't show it to you again.
76
103
77
104
### <aname="entra-id-secrets"> </a>Enable Microsoft Entra ID in your container app
78
105
@@ -84,7 +111,9 @@ To register the app, perform the following steps:
84
111
|Field|Description|
85
112
|-|-|
86
113
|Application (client) ID| Use the **Application (client) ID** of the app registration. |
87
-
|Client Secret| Use the client secret you generated in the app registration. With a client secret, hybrid flow is used and the app returns access and refresh tokens. When the client secret isn't set, implicit flow is used and only an ID token is returned. The provider sends the tokens and they're stored in the EasyAuth token store.|
114
+
|Client Secret| Use the client secret you generated in the app registration. With a client secret, hybrid flow is used and the app returns access and refresh tokens. When the client secret isn't set, implicit flow is used and only an ID token is returned. The provider sends the tokens and they're stored in the EasyAuth token store.
115
+
116
+
> [!WARNING] Microsoft recommends you do not use the implicit grant flow. In most scenarios, more secure alternatives are available and recommended. Certain configurations of this flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. For more information, see the [security concerns with implicit grant flow](/entra/identity-platform/v2-oauth2-implicit-grant-flow#security-concerns-with-implicit-grant-flow). |
88
117
|Issuer Url| Use `<authentication-endpoint>/<TENANT-ID>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (for example, "https://login.microsoftonline.com" for global Azure), also replacing *\<TENANT-ID>* with the **Directory (tenant) ID** in which the app registration was created. This value is used to redirect users to the correct Microsoft Entra tenant, and to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. For applications that use Azure AD v1, omit `/v2.0` in the URL.|
89
118
|Allowed Token Audiences| The configured **Application (client) ID** is *always* implicitly considered to be an allowed audience. If this value refers to a cloud or server app and you want to accept authentication tokens from a client container app (the authentication token can be retrieved in the `X-MS-TOKEN-AAD-ID-TOKEN` header), add the **Application (client) ID** of the client app here. |
0 commit comments