Is is possible to setup Azure AD OAUTH2 with an app that resides on an Azure V-Net that is not accessible from the internet?

Question

Is is possible to setup Azure AD OAUTH2 with an app that resides on an Azure V-Net that is not accessible from the internet?

JohnSebastian-3934 441

I'm trying to integrate Ansible Automation Platform with Azure AD OAUTH2.

According to the Ansible Automation Platform documentation, I need to create an App Registration in Azure AD with a secret which I have done and then provide the Azure AD App Registration with the Callback URL that the Ansible Automation Platform creates. The user has no ability to configure this callback URL.

This suggests to me that the Callback URL MUST be accessed over the open internet from Azure AD. So I must put a DNS Entry into a DNS server that makes the hostname of the callback URL (which happens to be: https://towerhost/sso/complete/azuread-oauth2/) reachable via the internet. Does this sound right?

The host on which I run my Ansible Automation is a virtual machine located in my Azure V-Net. This host has no public IP address and is not accessible from the internet. Is it still possible for me to integrate an application that is in a private Azure V-Net with Azure AD?

This has been very confusing and I need help from experts in modern authentication with Azure AD to chime in.

Thank you,

John

Accepted answer

0 additional answers

Your answer

Answer 1

Ayomide Oluwaga 906

Yes, you are correct that the Callback URL must be accessible over the internet from Azure AD. In order to achieve this, you can create a public DNS entry that points to the private IP address of your Ansible Automation Platform host in the Azure V-Net. This can be done using Azure DNS, or any other DNS provider that you prefer.

As for integrating an application in a private Azure V-Net with Azure AD, it is still possible. You can use Azure AD Application Proxy to publish your application securely and make it accessible from the internet. This allows you to keep your application in your private V-Net and still have it integrated with Azure AD for authentication and authorization.

Alternatively, you can also use Azure Private Link to securely access your application within the V-Net. This allows you to expose your application privately to specific Azure V-Net resources, such as your Azure AD tenant, without exposing it to the public internet.

I hope this helps! Let me know if you have any further questions.

JohnSebastian-3934 441 Reputation points

2023-03-27T18:21:14.7333333+00:00

I'm looking at the Private Endpoint documentation. I'm not sure that I follow what you are saying based on what I'm seeing in the Private Endpoint documentation. Since my application runs on a virtual machine in my V-Net (it is not an app running through the Azure AD App Registration process), what am I attaching the private end point to? Is it the VM on which the app is running? The NIC of the VM? How does that link me privately to Azure AD?
Ayomide Oluwaga 906 Reputation points

2023-03-27T20:47:57.78+00:00
I apologize for the confusion in my previous response. You are correct that using a private endpoint is not applicable in this scenario since your application is running on a virtual machine within your V-Net.

In your case, you can use the Azure AD Application Proxy as I mentioned earlier to enable secure access to your application from the internet. Here are the steps you can follow:

Register your application with Azure AD using the App Registration Portal and configure the Callback URL to point to the internal URL of your application, which is not accessible from the internet.

Install the Azure AD Application Proxy Connector on a virtual machine within your V-Net that has access to your application. The connector acts as a bridge between your application and Azure AD.

Create an application proxy application in the Azure portal and configure the connector to provide access to your internal application. You can also configure access controls and authentication methods for your application.

Once your application proxy application is published, external users can access it by going to the URL provided by the Application Proxy. When they access the application, they will be prompted to authenticate with Azure AD.

The Azure AD Application Proxy provides secure remote access to your internal application without exposing it to the internet. The connector installed on your virtual machine within your V-Net acts as a proxy between your application and Azure AD, providing secure authentication and authorization for your users.
Ayomide Oluwaga 906 Reputation points

2023-03-27T20:50:45.1666667+00:00

you may alternatively also want to consider using a combination of Azure AD Domain Services and Azure AD Application Proxy to enable secure access to your application from the internet. I would post the process for this if you have issues with the former process.

Share via

Is is possible to setup Azure AD OAUTH2 with an app that resides on an Azure V-Net that is not accessible from the internet?

0 additional answers

Your answer