question

EdgarKnapp-9310 avatar image
0 Votes"
EdgarKnapp-9310 asked NitinMathur-2276 commented

Azure CDN Authentication via AAD

I have a CDN endpoint with a custom domain mapping (a subdomain of my AAD domain). Access is by https only. Currently, anyone can access content on this CDN.

I need to protect the content from unauthorized access to allow only users authenticated in my AAD domain (and later also guest users, again based on their domain of origin).

How do I accomplish that? Certificates, OAuth2? Something else? I searched high and low but did not find anything useful.

azure-active-directoryazure-cdn
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EdgarKnapp-9310 Thank you for reaching out to Microsoft Q&A.

We do not have documentation yet for CDN with AAD but it will be similar to setting-up-application-gateway-with-an-app-service-that-uses-azure-active-directory-authentication. Please let us know if that helps. Thank you!


0 Votes 0 ·

Thanks for the link. By "We do not have documentation yet" I take it you mean the feature is available but is undocumented. I will try to follow the steps in the linked instructions and see how it goes.

One more question: Is my approach correct in principle to use AAD to secure the CDN such that

  • People inside our Company have unfettered access to the content

  • Customers from outside can be given access to particular content paths in the CDN

Thanks again,

EK

0 Votes 0 ·

1 Answer

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered NitinMathur-2276 commented

@EdgarKnapp-9310

You can setup CDN with App Serviceas backend with AAD and for that the given link can be used as reference architecture as it uses a similar setup. Regarding access to particular content paths, it is done at the code level. You can enable AAD authorization/authentication on the app service and from inside your code, examine the claims of the principal logged in and determine which group has access to which paths.


However, if you do not have App Service as backend then you can go with token authentication for CDN as given in the link. Token authentication when used with rules engine should be able to deliver your requirement for particular content paths etc..,

"Token authentication verifies that requests are generated by a trusted site by requiring requests to contain a token value that holds encoded information about the requester. Content is served to a requester only if the encoded information meets the requirements; otherwise, requests are denied. You can set up the requirements by using one or more of the following parameters:

Country/Region: Allow or deny requests that originate from the countries/regions specified by their country/region code.
URL: Allow only requests that match the specified asset or path.
Host: Allow or deny requests that use the specified hosts in the request header.
Referrer: Allow or deny request from the specified referrer.
IP address: Allow only requests that originated from specific IP address or IP subnet.
Protocol: Allow or deny requests based on the protocol used to request the content.
Expiration time: Assign a date and time period to ensure that a link remains valid only for a limited time period."

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I had a similar requirement and encountered the Token authentication option on searching online. I have few questions on that:

  • How do I create and renew the token upon expiry from my application? I want to set the expiry time as low as 5 mins. My application is nodejs based.

  • Can I put the token in request header instead of query parameter?


0 Votes 0 ·