Can we use our website SSL certificate to secure our Azure Active Directory App

john john 926 Reputation points
2023-02-05T21:28:04.8666667+00:00

I created a new ASP.NET Core 6.0 MVC web application using Visual Studio 2022, and I define it to use Azure AD for authentication, as follows:

enter image description here

enter image description here

Then I was asked to create an owned application, so I created one named "ad" as follows:

enter image description here

enter image description here

Inside my application's appsetting.json I have these settings:

{
    "AzureAd": {
        "Instance": "https://login.microsoftonline.com/",
        "Domain": "*****",
        "TenantId": "***",
        "ClientId": "***",
        "CallbackPath": "/signin-oidc"
    },
    ....
}

It seems Visual Studio did all the work for us.

But when I checked the "Certificate & Secrets" in the Azure portal for the generated Azure AD APP, I found that there is not anything assigned:

![enter image description here](/api/attachments/b6569579-d324-43c7-86a0-ff57ce1783ca?platform=QnA)

So now we are going to upload a certificate (.crt file), but i have those questions:-

  1. Now our above asp.net core mvc website already have SSL certificate bought from Go-daddy, so can we use this certificate also inside our Azure Active directory App ?
  2. Also, after uploading a certificate inside our Azure Active Directory App >> do we need to pass the certificate Thumbprint from our web application ? if the answer is yes, then what i need to do exactly , do we need to modify the Identity platfrom code?
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,140 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,246 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 55,041 Reputation points
    2023-02-05T22:44:04.4066667+00:00

    the default is password authentication. typically you would create a client secret.

    if you want to use certificate authentication to authenticate your apps access to ad, then you need to create an identification cert. as these are just between your app and azure ad, they can be self signed.

    https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate

    you can also use the azure key vault to store certificates, but then you need a login/cert to access the store,

  2. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points
    2023-02-22T19:03:05.32+00:00

    Hello, to authenticate against an Azure AD app using a certificate you need an X.509 cert that:

    • Has 2048-bit or longer keys. 2048-bit size is highly recommended for the best combination of security and performance.
    • Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.
    • Is signed with the SHA256 hash algorithm. Azure AD also supports certificates signed with SHA384 and SHA512 hash algorithms.

    You will have to reach GoDaddy to see if they can issue certificates that follow the aforementioned requirements.

    And yes, you will need to pass the certificate thumbprint. Keep in mind this can be used when requesting an access token alone or in tandem with an id token (hybrid flow):

    Follows how to configure your ASP.NET application:

    appsettings.json
    {
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "alfredorevillaatmsft.com",
    "TenantId": "22a84c88-253a-4025-a5c4-e0dc365b8d17",
    "ClientId": "efd38bbf-562c-4cc7-ba4d-2191b3931c95",
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "Scopes": "user.read" 
  }
}
    Program.cs
    using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddInMemoryTokenCaches();

    And how to acquire an access token:

    [AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
 // Acquire the access token.
 string[] scopes = new string[]{"user.read"};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
 // Use the access token to call a protected web API.
 // ...
}

    For more information take a look to Scenario: A web app that authenticates users and calls web APIs. For a hybrid flow sample take a look at this sample.

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

    0 comments