This post was originally published here
Hi All,
This post is to describe and take through the steps to set up App Registrations for App Services and API Management using OAuth 2.0 with Azure Active Directroy.
-
App Registration in AAD for securing App Services (WebApps and FunctionApps) using OAuth 2.0 with Azure active directory
This App registration is for securing the App Services, and should be used by the consumers (registered on AAD) to access the respective WebAPIs and Functions.
- Sign into Azure Portal.
- Select App registration
- Select New Registration.
- Name the Application as “nonprod-<team>-appsvc-appreg” , where <team> will be organisational domain etc.
- Click Register.
6. In the newly created App Registration, select “Manifest” property.
7. In that section set the following oAuth2 permission in the manifest modifying “oauth2Permissions” element of JSON representation.
“oauth2Permissions”: [
{
“adminConsentDescription”: “Allows another AAD registered application to access the App services”,
“adminConsentDisplayName”: “Access App Services”,
“id”: “8jca6c61-0762-7b99-a1e1-e4bdf7e6e165”,
“isEnabled”: true,
“lang”: null,
“origin”: “Application”,
“type”: “User”,
“userConsentDescription”: “Allows another AAD registered application to access the App services”,
“userConsentDisplayName”: “Access App Services”,
“value”: “user_impersonation”
}
],
8. “Save” the App Registration changes. This also creates a scope associated to the App Registration.
9. Similarly follow the same for Staging and Production as per shown tabular column.
Non – Production
|
Staging
|
Production
|
|
---|---|---|---|
App Service App Registration Name
Note:- This App Registration Client ID can be used when consuming any of the Web Apps and Function Apps in HIP |
nonprod-<team>-appsvc-appreg | stage-<team>-appsvc-appreg | prod-<team>-appsvc-appreg |
oauth2Permissions | Use the above snippet as it is.
Id as given above. |
Use the above snippet as it is.
Replaced Id with correct Id |
Use the above snippet as it is. |
10. Add user accounts as “App Owner” to this App Registration
2) App Registration in AAD for API Manager (APIM) to secure APIs using OAuth 2.0 with Azure active directory
This App registration is for the APIM which creates the necessary roles that should be used by the consumers to access the APIs.
- Select App registration
- Select New Registration.
- Name the Application as “nonprod–<companyname>-apim-appreg“
- Click Register.
- Select “Expose an API” and set “Application ID URI”
6. Select Manifest.
7. In that section set the following oAuth2 permission in the manifest modifying “appRoles” element of JSON representation as shown below.
“appRoles”: [
{
“allowedMemberTypes”: [
“Application”
],
“description”: “Allow client apps to perform read and write operations on <name>.v1 API.”,
“displayName”: “<name>.v1.ReadAndWrite”,
“id”: “da9a6ab2-bc67-4213-102c-07d5749ea2s3,
“isEnabled”: true,
“lang”: null,
“origin”: “Application”,
“value”: “<name>.v1.ReadAndWrite”
},
{
“allowedMemberTypes”: [
“Application”
],
“description”: “Allow client apps to perform read operation on <name>.v1 API.”,
“displayName”: “<name>.v1.Read”,
“id”: “8ceee182-dcd0-48b3-af69-1a7924dc9d15”,
“isEnabled”: true,
“lang”: null,
“origin”: “Application”,
“value”: “<name>.v1.Read”
}]
}
8. Similarly follow the same for Staging and Production as per shown tabular column.
Non – Production | Staging | Production | APIM – API Roles | |
---|---|---|---|---|
APIM App Registration Name | nonprod-<companyname>-apim-appreg | stage-<companyname>-apim-appreg | prod-<companyname>-apim-appreg |
<name>.v1.ReadAndWrite <name>.v1.Read <name>.v1.ReadAndWrite |
9. Add user accounts as “App Owner” to this App Registration.