Possible to use AAD and Access Restrictions (ip whitelist) as seperate methods to reach the same web app?

Filip Hultgren 1 Reputation point
2021-09-02T14:02:39.073+00:00

I have encountered that some team members (in my team) want to login through AAD to reach the web app, and some want their ip-addresses to be whitelisted in order to reach the web app. Is it possible to use both for a web app, where either one of them is a viable option? Either I can reach the web app by adding my ip address in Access Restrictions or I login through AAD.

The only solution I can think of right now is to create two web app duplicates where one requires AAD login and the other requires whitelist.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,685 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ajkuma 21,501 Reputation points Microsoft Employee
    2021-09-06T20:31:30.49+00:00

    @Filip Hultgren , Firstly, please accept my apologies for the delayed response from over the weekend.

    Based on my understanding, just to clarify – You want clients that arrive with some certain IP range to not require AAD, but then you also want to have a different group of clients who do get forced to authenticate.

    You may try this approach based on your requirement:
    All of the clients would need to be whitelisted in IP access restrictions, otherwise they simply cannot arrive at the site. You can add some customization of the AAD auth. It's not IP access restriction and AAD as separate methods, rather -it's IP restrictions for everyone + AAD for some of users both happening together. You could customize access with AAD based on your needs.

    Kindly checkout these docs for more info:

    Set up Azure App Service access restrictions

    Configure your App Service or Azure Functions app to use Azure AD login

    Tutorial: Add authentication to your web app running on Azure App Service

    0 comments No comments

  2. ajkuma 21,501 Reputation points Microsoft Employee
    2021-09-20T10:38:55.223+00:00

    To benefit the community with a similar scenario, posting an updated answer from our comments/offline discussions.

    At this time, it is not viable with the separate methods. Network restrictions basically block every IP that's not included. On the IP Access Restrictions - it is an Allowed or not Allowed. So, the users who could get to the site with AAD would also need to be coming from an IP address range that is allowed.

    Based on your scenario, you may to have make some custom code for authentication. Just highlight a few pointers:

    -As you pointed out, you could have two separate apps in the same App Service Plan (ASP), since you pay only for ASP, you could have those as individual apps.

    • You can continue to add apps to an existing plan as long as the plan has enough resources to handle the load. The apps in the same App Service plan all share the same compute resource.

    See, if plausible, you could try like a guest account for those 5%

    As a side note, you can integrate WebApp with multiple login providers. Other than Azure AD - Facebook, Google, Twitter. App Service uses federated identity, in which a t3rd party identity provider manages the user identities and authentication flow for you.

    App Service -overview of authentication and authorization
    https://learn.microsoft.com/azure/app-service/overview-authentication-authorization#considerations-for-using-built-in-authentication

    Customize sign-in and sign-out in Azure App Service authentication| Authorize or deny users
    https://learn.microsoft.com/azure/app-service/configure-authentication-customize-sign-in-out#authorize-or-deny-users

    0 comments No comments