Azure Question posted in
The official documentation to get you started can be found here.

Azure – How to add Identity Providers programmatically?

I’m automating creation of Web Apps for our organization via Azure DevOps and ARM Templates. One thing that is not documented is adding Identity Providers to the Web Apps.

There is a document explaining how to do that manually via Portal, but there are no examples available for ARM Templates or even Azure PowerShell.

The Identity Providers that we are using are utilizing Microsoft Entra ID and OpenID:
enter image description here

Tags:

2

Answers


  1. 0

    Identity provider need to config via Microsoft.Web/sites/config + authsettingsV2 , docs

    I find a sample for you. Links

    ...
  resource authSettings 'config' = {
    name: 'authsettingsV2'
    properties: {
      globalValidation: {
        requireAuthentication: true
        redirectToProvider: 'azureActiveDirectory'
        unauthenticatedClientAction: 'RedirectToLoginPage'
      }
      login: {
        tokenStore: {
          enabled: true
        }
      }
      identityProviders: {
        azureActiveDirectory: {
          enabled: true
          registration: {
            openIdIssuer: '${environment().authentication.loginEndpoint}/${tenantId}/v2.0'
            clientId: clientId
            clientSecretSettingName: 'AzureAdClientSecret'
          }
          validation: {
            jwtClaimChecks: {
              allowedGroups: [
                authorizedGroupId
              ]
            }
...

    Or you can search in github with org:azure Microsoft.Web/sites authsettingsV2 language:Bicep

    Login or Signup to reply.
  2. 0

    To add any identity provider for azure app service authentication, you need to use Microsoft.Web/sites/config authsettings as shown in the below way.

    Reference MS Doc: App service ARM template

    /authsettings:

      {
            "type": "Microsoft.Web/sites/config",
            "apiVersion": "2022-09-01",
            "name": "[concat(parameters('webAppName'), '/', 'authsettingsV2')]",
            "properties": {
                "globalValidation": {
                    "redirectToProvider": "azureactivedirectory",
                    "requireAuthentication": true,
                    "unauthenticatedClientAction": "RedirectToLoginPage"    
                },
                "identityProviders": {
                    "azureActiveDirectory": {
                        "enabled": true,
                        "isAutoProvisioned": true,
                        "registration": {
                            "clientId": "d172xxxxadcab",
                            "clientSecretSettingName": "Hd08Q~xxxTyYOyaGi",
                            "openIdIssuer": "[concat('https://sts.windows.net/', tenant().tenantId, '/v2.0')]"
                        },
                        "validation": {
                            "allowedAudiences": [
                                "[concat('api://', parameters('webAppClientId'))]"
                            ]
                        }
                    }   
                },
                "login": {
                    "allowedExternalRedirectUrls": [],
                    "tokenStore": {
                        "enabled": true
                    }
                }
            },
            "dependsOn": [
                "[parameters('webAppName')]"
            ]
        }

    Complete code:

    {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "webAppName": {
        "type": "string",
        "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]",
        "minLength": 2,
        "metadata": {
          "description": "Web app name."
        }
      },
      "webAppClientId": {
        "type": "string",
        "defaultValue": "d17229de-da21-40a9-bf67-9d8a71eadcab"
      },
      "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]",
        "metadata": {
          "description": "Location for all resources."
        }
      },
      "sku": {
        "type": "string",
        "defaultValue": "F1",
        "metadata": {
          "description": "The SKU of App Service Plan."
        }
      },
      "linuxFxVersion": {
        "type": "string",
        "defaultValue": "DOTNETCORE|3.0",
        "metadata": {
          "description": "The Runtime stack of current web app"
        }
      }
    },
    "variables": {
      "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]"
    },
    "resources": [
      {
        "type": "Microsoft.Web/serverfarms",
        "apiVersion": "2021-02-01",
        "name": "[variables('appServicePlanPortalName')]",
        "location": "[parameters('location')]",
        "sku": {
          "name": "[parameters('sku')]"
        },
        "kind": "linux",
        "properties": {
          "reserved": true
        }
      },
      {
        "type": "Microsoft.Web/sites",
        "apiVersion": "2021-02-01",
        "name": "[parameters('webAppName')]",
        "location": "[parameters('location')]",
        "properties": {
          "httpsOnly": true,
          "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]",
          "siteConfig": {
            "linuxFxVersion": "[parameters('linuxFxVersion')]",
            "minTlsVersion": "1.2",
            "ftpsState": "FtpsOnly"
          }
        },
        "identity": {
          "type": "SystemAssigned"
        },
        "dependsOn": [
          "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]"
        ]
      },
     {
            "type": "Microsoft.Web/sites/config",
            "apiVersion": "2022-09-01",
            "name": "[concat(parameters('webAppName'), '/', 'authsettingsV2')]",
            "properties": {
                "globalValidation": {
                    "redirectToProvider": "azureactivedirectory",
                    "requireAuthentication": true,
                    "unauthenticatedClientAction": "RedirectToLoginPage"    
                },
                "identityProviders": {
                    "azureActiveDirectory": {
                        "enabled": true,
                        "isAutoProvisioned": true,
                        "registration": {
                            "clientId": "d172xxxxadcab",
                            "clientSecretSettingName": "Hd08Q~xxxTyYOyaGi",
                            "openIdIssuer": "[concat('https://sts.windows.net/', tenant().tenantId, '/v2.0')]"
                        },
                        "validation": {
                            "allowedAudiences": [
                                "[concat('api://', parameters('webAppClientId'))]"
                            ]
                        }
                    }   
                },
                "login": {
                    "allowedExternalRedirectUrls": [],
                    "tokenStore": {
                        "enabled": true
                    }
                }
            },
            "dependsOn": [
                "[parameters('webAppName')]"
            ]
        }
    ]
  }

    Note: You can add any identity provider in the above format according to the requirement.

    Output:

    enter image description here

    enter image description here

    enter image description here

    Also, you can refer this SO for similar configuration.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search