question

FilipHultgren-8468 avatar image
0 Votes"
FilipHultgren-8468 asked ajkuma-MSFT edited

Possible to use AAD and Access Restrictions (ip whitelist) as seperate methods to reach the same web app?

I have encountered that some team members (in my team) want to login through AAD to reach the web app, and some want their ip-addresses to be whitelisted in order to reach the web app. Is it possible to use both for a web app, where either one of them is a viable option? Either I can reach the web app by adding my ip address in Access Restrictions or I login through AAD.

The only solution I can think of right now is to create two web app duplicates where one requires AAD login and the other requires whitelist.

azure-webapps
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered

@FilipHultgren-8468, Firstly, please accept my apologies for the delayed response from over the weekend.

Based on my understanding, just to clarify – You want clients that arrive with some certain IP range to not require AAD, but then you also want to have a different group of clients who do get forced to authenticate.

You may try this approach based on your requirement:
All of the clients would need to be whitelisted in IP access restrictions, otherwise they simply cannot arrive at the site. You can add some customization of the AAD auth. It's not IP access restriction and AAD as separate methods, rather -it's IP restrictions for everyone + AAD for some of users both happening together. You could customize access with AAD based on your needs.

Kindly checkout these docs for more info:

Set up Azure App Service access restrictions

Configure your App Service or Azure Functions app to use Azure AD login

Tutorial: Add authentication to your web app running on Azure App Service

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ajkuma-MSFT edited

To benefit the community with a similar scenario, posting an updated answer from our comments/offline discussions.

At this time, it is not viable with the separate methods. Network restrictions basically block every IP that's not included. On the IP Access Restrictions - it is an Allowed or not Allowed. So, the users who could get to the site with AAD would also need to be coming from an IP address range that is allowed.

Based on your scenario, you may to have make some custom code for authentication. Just highlight a few pointers:

-As you pointed out, you could have two separate apps in the same App Service Plan (ASP), since you pay only for ASP, you could have those as individual apps.
- You can continue to add apps to an existing plan as long as the plan has enough resources to handle the load. The apps in the same App Service plan all share the same compute resource.

See, if plausible, you could try like a guest account for those 5%

As a side note, you can integrate WebApp with multiple login providers. Other than Azure AD - Facebook, Google, Twitter. App Service uses federated identity, in which a t3rd party identity provider manages the user identities and authentication flow for you.

App Service -overview of authentication and authorization
https://docs.microsoft.com/azure/app-service/overview-authentication-authorization#considerations-for-using-built-in-authentication

Customize sign-in and sign-out in Azure App Service authentication| Authorize or deny users
https://docs.microsoft.com/azure/app-service/configure-authentication-customize-sign-in-out#authorize-or-deny-users

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.