question

RobySkariah-9917 avatar image
RobySkariah-9917 asked ·

How to authenticate against AD from custom app service api code?

We have a custom web service hosted on an OnPrem windows IIS server. This api when called, logs off or breaks the signed in user session(user signed in to Sharepoint online-O365), and tries to authenticate the user again, against OnPrem AD using windows authentication. User will be forced to re-enter windows AD credentials again to log back in. This is an additional layer of authentication incorporated.

Now, question is, can I migrate this Web service/api to Azure App service. I understand by changing the hosting platform to Azure app service from a windows On prem IIS server, same windows authentication cannot be done. But instead I like to know if we can do similar fashioned authentication against Azure AD. Basically an additional prompt. Rest of the functionality should remain same. What could be a foreseeable challenge here? is it straight forward? I may not need windows pop up. In this case may be Microsoft sign in page is what I am expecting.

Now, if I can authenticate same way as against OnPrem AD from the app hosted in Azure app service, I would be delighted. We already have an express route connectivity established between our OnPrem domain and Azure tenant.

Any solution or comments are helpful.

azure-webappsazure-ad-authenticationazure-webapps-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
soumi-MSFT answered ·

@RobySkariah-9917, Yes, if your app uses the legacy auth protocols like Kerberos and would like to protect it with Azure AD, then you can consider using App Proxy. You can publish your On-Premises app(hosted on IIS Server) directly on App Proxy and utilize the protection of AAD as well as your onPrem AD. THis would be a better move forward without breaking your existing setup.

Incase your app already has the code for kerberos based authentication and you want to completely migrate your app to App Services from your IIS, its not going to work Because AAD works completely on modern web protocols like OAuth2, Open ID Connect and SAML.

Having said that, if your app doesnt have any kerberos based auth code in your app, then you can deploy you app code to App Service and use the "Easy Auth" option. When you use Easy Auth, it would redirect you to the AAD's login screen, when you access the app. Then the user enters the username and password to AAD and gets authenticated with AAD. Once authenticated AAD simply redirects the user back to the app stating that the user is authenticated.
In this case no authorization comes into picture.

You can read more on Easy Auth here.

Hope this helps. Do let us know in case any more queries around this.

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RobySkariah-9917, Just wanted to check if the above response helped in answering your query. If it did, it would be great if you can mark the response as "Answered" so that it helps others too.

0 Votes 0 · ·