Is it possible to handle multiple app registrations for one app service in Microsoft Azure?

Jörg Auberg 20 Reputation points
2023-01-13T11:28:45.77+00:00

I have the following problem: In a Microsoft Azure environment, there should be a Web application (ASP.NET Core with razor pages) for the management of customer data for internal as well as external users. While the internal users should have full admin access, the external users should have only a limited access to the application and its database structures. The idea is to handle this by two app registrations for one app service.

Yet, I do not have found a solution for this requirement (e. g. the client ID specification in the appsettings.json file).

Is it conclusive and possible to use multiple app registrations for one app service or should each app service have its own app registration?

Is there a way to handle multiple app registrations for one app service?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,522 questions
0 comments
Accepted answer
  1. Shweta Mathur 27,691 Reputation points Microsoft Employee
    2023-01-17T07:36:00.28+00:00

    Hi @Jörg Auberg ,

    Thanks for reaching out.

    Yes, it is possible to support one application service using multiple authentication schemas.

    Microsoft Identity Platform supports multiple authentication schemas which allow users to sign into application either with two Azure AD application registration or one Azure AD app or another Azure AD B2C.

    In the appsettings.json file, you need to provide two authentication schemas. 

    {
    "AzureAd1": {
        "Instance": "https://login.microsoftonline.com/",
        "ClientId": "xxx-xx-xx-xx-xxx",
        "Domain": "contso.onmicrosoft.com",
        "TenantId": "xxxx-xxx-xx-xx",
        "ClientId": "xxx-x-xxx-xx",
        "ClientSecret": "",
    },
    "AzureAd2": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "contso.onmicrosoft.com",
        "TenantId": "xxx-xx-xx-xx",
        "ClientId": "xxx-xx-xx-xx",
        "ClientSecret": "",
        "CallbackPath": "/signin-oidc"
    },

 "DownstreamApi": {
        "BaseUrl": "https://graph.microsoft.com/v1.0",
        "Scopes": "user.read"
    },
    "Downstream2Api": {
        "BaseUrl": "https://graph.microsoft.com/v1.0",
        "Scopes": "user.read"
    },
}

    In Startup.cs in ConfigureServices, we have two sections for .AddAuthentication, one for AzureAd1 and another for AzureAd2. Please note that .AddAuthentication() has no default scheme defined.

    
services.AddAuthentication() // No default scheme
        .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd1"), "openid2")
            .EnableTokenAcquisitionToCallDownstreamApi(Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' '))
                .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
                .AddInMemoryTokenCaches();

services.AddAuthentication() // No default scheme either
        .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd2"), "AzureAD", "cookiesAzureAD")
            .EnableTokenAcquisitionToCallDownstreamApi(Configuration.GetValue<string>("Downstream2Api:Scopes")?.Split(' '))
                .AddDownstreamWebApi("Downstream2Api", Configuration.GetSection("Downstream2Api"));

    Reference: [https://github.com/AzureAD/microsoft-identity-web/wiki/Multiple-Authentication-Schemes

    Hope this will help.

    Thanks

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest