Azure Websites Authentication / Authorization allows you to quickly and easily restrict access to your websites running on Azure Websites by leveraging Azure Active Directory.
While this is something you could do today, Websites users will greatly benefit form a simplified and streamlined solution that does not require any complex configuration, new code, or maintenance. Furthermore, this solution is stack agnostic so it works for all the different stacks supported by Azure Websites today, regardless of your site being coded in .NET, PHP, Node, Java or Python and since this solution is provided as part of the platform it will scale with your application.
Azure Websites Authentication / Authorization simplifies the process of restricting access to your site to only 3 steps with no code changes necessary in the application:
- Create a directory with users if one doesn’t already exist
- Step through the Authentication / Authorization configuration wizard for your website in the Azure Portal
- Select the Directory associated with the Website
- Select or create the Azure Active Directory app for the Website
- Your Website is now restricted so only users in the directory you selected in step 2 will be able to access it.
In contrast power users who chose to do this manually would have to following the list of steps below:
- Create a directory with users if one doesn’t already exist
- Create AAD application and configure the following
- Application type
- Application friendly name
- Login URL
- App ID URL
- Reply addresses for all site hostnames
- Download Identity SDK for your platform, if available
- If not, you will have to implement Open ID Connect yourself using the spec and do the appropriate security testing.
- Update application code to do the following:
- Force all clients to connect using SSL.
- Redirect unauthenticated requests to login page using correct parameters.
- Parse JWT tokens returned from the login page.
- Manage session cookies (with appropriate encryption/signing).
- Mitigate replay attacks using a shared data store for nonce management.
- Mitigate CSRF attacks.
- Logging and/or auditing of login attempts
- Update site configuration with the AAD configuration (tenant name, application client_id GUID, etc.)
- Write your application logic.
- Account for key rolling in the AAD directory (or all logins could start failing)
- Keep the AAD application in sync with any hostname changes to the Website.
Configure your Azure Website Authentication /Authorization
Step 1 Prepare your Directory
The first step to restricting access to your website using Azure Websites Authentication / Authorization is to get your Azure Active Directory ready. Azure Active Directory will handle user management and the log-in mechanics for your site. I’m not going to go into details on how setup Azure Active Directory, but here are some helpful resources to get you started:
Step 2 Configure your site
The next step involves linking your Azure Website to the Azure Active Directory that will provide the user management for your site. To do this you will use the Azure Management Portal.
Navigate to your site and click on the configure tab. There is a new configuration section in this page called authentication / authorization.
Azure Website Authentication Authorization
In the authentication / authorization section the configure button launches the wizard that will guide through the configuration
In the wizard you will be able to select a directory if there are more than one configured for your subscription and an AAD Application.
From the drop down you can select and existing AAD application or chose to create a new one. The AAD application will represent this website in Azure Active Directory.
Once you click OK the necessary configuration will be created in Azure Active Directory and propagated to your site.
Once the website is configured the authentication / authorization section provides deep links to the Azure Active Directory and Azure Active Directory Application this website is linked to.
The Logout Path Environment Variable can be used by the website to direct user’s user to a unique URL that will act as a log-out.
Current Limitations
There are some limitation to the current preview release of this feature:
- With the current release all users in the configured directory will have access the application.
- With the current release the whole site is placed behind login the requirement.
- Head less authentication/authorization for API scenarios or service to service scenarios are not currently supported.
- With the current release there is no distributed log-out so logging the user out will only do so for this application and not all global sessions.