Process: Configure authentication and authorisation (SSO Authentication via Azure)

Once the web application is up and running in Azure Web App Services, we can configure authentication and authorisation. We will be using MS Entra ID as identity provider.

1. Go to App Services in Azure Portal and select the application to configure authentication App Services - Microsoft Azure

2. Select the application and go to Authentication on left hand menu of the application and then click Identity

3. This will prompt you with following window. Select Microsoft as the identity provider

4. Select a Tenant type, for example Workforce for work and school accounts or Microsoft accounts. For App registration > App registration type, select Create new app registration to create a new app registration in Microsoft Entra ID, Supported account types, select Current tenant-single tenant so only users in your organisation can sign in to the web app. Leave Authentication set to Require authentication and Unauthenticated requests set to HTTP 302 Found redirect: recommended for websites.

6. At the bottom of the Add an identity provider page, click Add to enable authentication for your web app.

Verify limited access to the web app

1. Go to the Microsoft Entra admin center and select Applications and then App registrations from the menu, select the app registration that was created during Authentication Home - Microsoft Entra admin center

2. In the overview, verify that Supported account types is set to My organisation only.

3. Once this is done, the application when launched will load MS authentication at first which we need to accept (for the first time)

3. If you want to verify if the application is not accessible outside the organisation. Launch application on incognito mode in browser and provide non MC email address. The access should be denied.

4. Since the application has been registered as Enterprise application, by default all MC users can log into the application and the application will be visible in MS O365 applications for all users.

5. We can limit who can have access to the application (user or group) and make application just visible to them only. This can be done here: Go to Enterprise Applications here Enterprise applications - Microsoft Entra admin center and search your application and click on it.Then select Properties from left menu.

7. Make sure these are the settings Enable for users to sign-in Yes, Assignment Required > Yes and Visible to users > Yes. This will allow only users/applications who are assigned to this application can view and access the application.

8. Users and groups who can access the application can be added by going to Users and Roles menu in left hand menu within the application.

References:

Tutorial - Add app authentication to a web app on Azure App Service - Azure App Service | Microsoft Learn

Configure enterprise application properties | Microsoft Learn

Manage users and groups assignment to an application | Microsoft Learn