Share via

Publish an App Service with Azure AD authentition on Azure Application Gateway

James Dumont le Douarec 36 Reputation points MVP
2020-10-03T13:34:39.99+00:00

Hello,

I did raise a Microsoft ticket to publish my App Service with Azure AD authentication and the solution proposed was to configure my custom domain on my App Service, this solution works and doesn’t need url rewrite but I’m not comfortable with it.

I would have preferred to keep the public custom domain, certificate and dns staff fully managed on the Application Gateway which could then be managed by a unique Cyber Security team for example. The App Service could then be fully managed by an App team which doesn’t have to take care about the company custom domains, dns and certificate management.

I tried the solution explained here, it consists in using Application Gateway url rewrite, the redirection and the Azure AD authentication works but my app service displays the following error, there is the script I used to publish my App Service with the url rewrite.

The error on the App Service :
Call to HTTP endpoint https://login.windows.net/79b44d42-bab4-49b3-9bbc-cf05592953a0/oauth2/token
failed: 400 (Bad Request). Partial response: {"error":"invalid_client","error_description":"AADSTS500112:
The reply address 'https://dev-myapp1-apiapp1.azurewebsites.net:443/.auth/login/aad/callback'
does not match the reply address 'https://myapp1-api-dev.dld23.com/.auth/login/aad/callback' provided when requesting Authorization code.

Thank you for your help,
Jamesdld

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,970 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alexandre GIRAUD 1 Reputation point
    2021-02-24T09:32:50.127+00:00

    Hi all,

    Sorry to dig up this thread who have some month ago, but I'm facing a similar issue and need to get more information about each experiences that you had.
    I'm totally understanding the rewrite point with Azure Application Gateway for callback and redirect_uri, and it's working fine, but in a specific case only.

    I didn't see, except error of myself, someone talking about Custom domain and SSL bindings on webapp. So I mean, that this works perfectly if on azure webapp, we add a custom DNS (jusrt awverify is enough) and SSL binding. If we don't add this on webapp, I'm always have a 500.74 where 2nd request on callback URI.

    Like our goals is not to have custom bindings (SSL + DNS) on all backend azure webapp, only get a single certificates on Application Gateway and use only *.azurewebsites.net for backend. Is it a possible configuration ? or configuring backend is mandatory ?

    Thanks for sharing, at disposal if need
    Regards,
    Alexandre

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.