This post was originally published here

Hi All,

This post is to describe and take through the steps to set up App Registrations for App Services and API Management using OAuth 2.0 with Azure Active Directroy.

  1. App Registration in AAD for securing App Services (WebApps and FunctionApps) using OAuth 2.0 with Azure active directory

This App registration is for securing the App Services, and should be used by the consumers (registered on AAD) to access the respective WebAPIs and Functions.

  1. Sign into Azure Portal.
  2. Select App registration
  3. Select New Registration.
  4. Name the Application as “nonprod-<team>-appsvc-appreg” , where <team> will be organisational domain  etc.
  5. Click Register.

Create App Registration

6. In the newly created App Registration, select “Manifest” property.

Select Manifest APIMClientID (2)

7. In that section set the following oAuth2 permission in the manifest modifying “oauth2Permissions” element of JSON representation.

“oauth2Permissions”: [
{
“adminConsentDescription”: “Allows another AAD registered application to access the App services”,
“adminConsentDisplayName”: “Access App Services”,
“id”: “8jca6c61-0762-7b99-a1e1-e4bdf7e6e165”,
“isEnabled”: true,
“lang”: null,
“origin”: “Application”,
“type”: “User”,
“userConsentDescription”: “Allows another AAD registered application to access the App services”,
“userConsentDisplayName”: “Access App Services”,
“value”: “user_impersonation”
}
],

8. “Save” the App Registration changes. This also creates a scope associated to the App Registration.

9. Similarly follow the same for Staging and Production as per shown tabular column.

Non – Production
Staging
Production
App Service App Registration Name

Note:- This App Registration Client ID can be used when consuming any of the Web Apps and Function Apps in HIP

nonprod-<team>-appsvc-appreg stage-<team>-appsvc-appreg prod-<team>-appsvc-appreg
oauth2Permissions Use the above snippet as it is.

Id as given above.

Use the above snippet as it is.

Replaced Id with correct Id

Use the above snippet as it is.

10. Add user accounts as “App Owner” to this App Registration

2) App Registration in AAD for API Manager (APIM) to secure APIs using OAuth 2.0 with Azure active directory

This App registration is for the APIM which creates the necessary roles that should be used by the consumers to access the APIs.

  1. Select App registration
  2. Select New Registration.
  3. Name the Application as “nonprod<companyname>-apim-appreg
  4. Click Register.
  5. Select “Expose an API” and set “Application ID URI”

APIMClientID_ExposeAPI

6. Select Manifest.

Select Manifest APIMClientID (2)

7. In that section set the following oAuth2 permission in the manifest modifying “appRoles” element of JSON representation as shown below.

“appRoles”: [
{
“allowedMemberTypes”: [
“Application”
],
“description”: “Allow client apps to perform read and write operations on <name>.v1 API.”,
“displayName”: “<name>.v1.ReadAndWrite”,
“id”: “da9a6ab2-bc67-4213-102c-07d5749ea2s3,
“isEnabled”: true,
“lang”: null,
“origin”: “Application”,
“value”: “<name>.v1.ReadAndWrite”
},
{
“allowedMemberTypes”: [
“Application”
],
“description”: “Allow client apps to perform read operation on <name>.v1 API.”,
“displayName”: “<name>.v1.Read”,
“id”: “8ceee182-dcd0-48b3-af69-1a7924dc9d15”,
“isEnabled”: true,
“lang”: null,
“origin”: “Application”,
“value”: “<name>.v1.Read”
}

]

}

8. Similarly follow the same for Staging and Production as per shown tabular column.

Non – Production Staging Production APIM – API Roles
APIM App Registration Name nonprod-<companyname>-apim-appreg stage-<companyname>-apim-appreg prod-<companyname>-apim-appreg

<name>.v1.ReadAndWrite

<name>.v1.Read

<name>.v1.ReadAndWrite

9. Add user accounts as “App Owner” to this App Registration.