Process: Web App Deployment Steps
This KB will cover, Azure Web app Deployment , connecting it with Azure SQL using user-manged identity
A. Deploy App in Azure Web App
1. Create App in Azure Web App here App Services - Microsoft Azure by selecting resource group,Region and run time stack.
2. Once created it will look similar to below
B. Configure Managed Identity for App
1. Create a user managed identity. KB on how to create https://securityservices.mariecurie.org.uk/support/solutions/articles/52000086568
2. Once you have an user-managed identity, assign it to the Web App. Go to Web App (PackageChecker)> Identity > User assigned > Add (this will provide list of identities available)
In example below cybersqldataprd01_identity has been added to PackageChecker
3. Now once the identity is added to Application, the identity needs to be granted permissions to access database
C. Grant Permission to Identity to access Database
1. Login into database from SSMS or Azure SQL. You should be logged as admin of database, else granting permission to identity doesn't work
2. Once you login run following commands
CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];
GO
3. Replace identity name with the one you created.
4. For example, cybersqldataprd01_identity has been added to cybersqldataprd01 database as an user with above roles.
5. Once that is done, we need to modify our code before publishing it.
D. Modify your code
1. Modification is required in web.config (connection string) and EntityFramework (Context.cs)
2. Change web.config connection string to following (it is password less, there is no username or password in the connection string)
<connectionStrings>
<add name="cybersqldataprdEntities" connectionString="metadata=res://*/CyberSqlEntity.csdl|res://*/CyberSqlEntity.ssdl|res://*/CyberSqlEntity.msl;provider=System.Data.SqlClient;provider connection string='data source=cybersqldataprd01.database.windows.net;initial catalog=cybersqldataprd;App=EntityFramework'" providerName="System.Data.EntityClient" />
</connectionStrings>
3. Modify the code in Entity Framework (Context.cs) as below
public cybersqldataprdEntities( : base("name=cybersqldataprdEntities")
{
var conn = (System.Data.SqlClient.SqlConnection)Database.Connection;
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = "<clientid of user assigned managed identity>" }); //client ID of user assigned identity
var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://database.windows.net/.default" }));
conn.AccessToken = token.Token;
conn.Open();
}
Above code uses DefaultAzureCredential to get a useable token for your Azure database from Microsoft Entra ID (Azure AD) and then adds it to the database connection. It gets a token from the signed-in Microsoft Entra user (Azure AD user) or from user managed identity, depending on whether you run it locally in your development environment or in App Service. While running locally, it uses signed-in AD user and in deployed environment it uses user-managed client ID.
E. Publishing the code
1. In Solution Explorer, right click on the Application and Select Publish
2. In Publish, select Azure, and then specific target Azure App Services(Windows).
3. Select the Resource group and then the Web App Service then publish the application.
4. The application will launch in the default browser through App Service.
References:
Tutorial: Access Azure databases with managed identity - Azure App Service | Microsoft Learn
Managed identities for Azure resources | Microsoft Learn
Quickstart: Deploy an ASP.NET web app - Azure App Service | Microsoft Learn
Tutorial: Access data with managed identity - Azure App Service | Microsoft Learn