Is it possible to script the configuration of Azure App Service Authentication?
I can answer this myself: this can indeed be scripted through an ARM template. (I'd originally tried using resources.azure.com
but it had not shown all of the config info for my site; logging out and back in again made it behave.) The solution is to use a nested resource within the Microsoft.Web/sites
resource for your web app of type config
and name web
to specify the settings, e.g.:
{ "type": "Microsoft.Web/sites", ... "resources": [ { "apiVersion": "2015-04-01", "name": "web", "type": "config", "dependsOn": [ "[resourceId('Microsoft.Web/sites', parameters('someName'))]" ], "properties": { "siteAuthEnabled": true, "siteAuthSettings": { "enabled": null, "httpApiPrefixPath": null, "unauthenticatedClientAction": null, "tokenStoreEnabled": null, "allowedExternalRedirectUrls": null, "defaultProvider": null, "clientId": "REMOVED", "clientSecret": null, "issuer": "https://sts.windows.net/REMOVED/", "allowedAudiences": null, "additionalLoginParams": null, "isAadAutoProvisioned": false, "aadClientId": "REMOVED", "openIdIssuer": "https://sts.windows.net/REMOVED/", "googleClientId": null, "googleClientSecret": null, "googleOAuthScopes": null, "facebookAppId": null, "facebookAppSecret": null, "facebookOAuthScopes": null, "twitterConsumerKey": null, "twitterConsumerSecret": null, "microsoftAccountClientId": null, "microsoftAccountClientSecret": null, "microsoftAccountOAuthScopes": null } } } ]}
Here is a way to do it using straight Powershell commands.
First, you can view the current auth settings using:
$rgName = "ResourceGroupName"$resourceType = "Microsoft.Web/sites/config"$resourceName = "service-name/authsettings"$resource = Invoke-AzureRmResourceAction -ResourceGroupName $rgName `-ResourceType $resourceType -ResourceName $resourcename -Action list `-ApiVersion 2015-08-01 -Force$resource.Properties
Then, you can take the values of those properties and use them to set the PropertyObject (properties shown below relate to AAD authentication, using a service principal):
$PropertiesObject = @{ "enabled" = "True"; "unauthenticatedClientAction" = "0"; "defaultProvider" = "0"; "tokenStoreEnabled" = "True"; "clientId" = "<your client ID here>"; "issuer" = "https://sts.windows.net/<your AAD ID here>/"; "allowedAudiences" = "{https://<service name>.azurewebsites.net}"; "isAadAutoProvisioned" = "True"; "aadClientId" = "<your client ID here>"; "openIdIssuer" = "https://sts.windows.net/<your AAD ID here>/";}New-AzureRmResource -PropertyObject $PropertiesObject `-ResourceGroupName $rgName -ResourceType $resourceType `-ResourceName $resourcename -ApiVersion 2015-08-01 -Force
I found it easier to enable the authentication in the portal, view the properties, then use those values to set the PropertyObject.
Edit 2020/06: I found getting a basic example of this working to be unreasonably arcane. Here is a detailed way to get a WebApp to use Azure AD for authentication
Ref: az ad app create
/ az ad app permission
/ az webapp auth update
Step 1: Define some basic variables
RSGROUP="MyResourceGroup"webappname="MyWebSite"WebAppFDQN=$(az webapp show --name "$webappname" -g "$RSGROUP" --query "defaultHostName" --out tsv);prodURL="https://myapp.customdomainblah.com";AADsuffix="/.auth/login/aad/callback" # AD Online is hardcoded to redirect to this path!!urls="https://${WebAppFDQN}${AADsuffix} ${prodURL}${AADsuffix}";AADappName="$webappname"
Step 2 - Create Azure Active Directory (AAD) App Registration
az ad app create \ --display-name "$AADappName" \ --homepage="https://${WebAppFDQN}" \ --reply-urls $urls \ --oauth2-allow-implicit-flow true
Step 3 - Add AD App Permissions
Microsoft Graph API w/ Read permission appears to be required.
AADappId=$(az ad app list --display-name "$AADappName" --query [].appId -o tsv);MSGraphAPI="00000003-0000-0000-c000-000000000000" #UID of Microsoft GraphPermission="e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope" # ID: Read permission, Type: Scopeaz ad app permission add \ --id "$AADappId" \ --api "$MSGraphAPI" --api-permissions "$Permission"# Appears to be safe to ignore resulting warning: # "Invoking "az ad app permission grant --id $AADappId --api $MSGraphAPI" is needed to make the change effective"
Step 4 - Web: Enable Authentication
Appears idempotent (safe to execute during every deploy)
az webapp auth update \ -g "$RSGROUP" -n "$webappname" --enabled true \ --action LoginWithAzureActiveDirectory \ --aad-client-id "$AADappId"
Previous answer:
This is now merged into Azure CLI and is available under az webapp auth
.
{EDIT: Snipped documentation that was mostly useless - can be seen here: az webapp auth
}