Authentication issues with FrontDoor

Question

I have a web application, and I've registered it in Azure AD for authentication.

I also created a second web application and used the same authentication setup in the code for both apps. Additionally, I set up a FrontDoor service and added a backend pool to both web apps.

Now, when I access the FrontDoor URL, it prompts me to sign in. After signing in, it redirects me to one of the web app URLs and asks me to sign in again. I'm uncertain why I have been asked to Sign In twice.

Answer 1

@sonal khatri When using Azure Front Door in front of your app services, there are some considerations that you need to follow. They are documented in the official docs.

Since you have different origins, the authentication context in the browser is separate and since your app service is still redirecting to its origin, you are asked to login again.

You need to update the configuration as shown in the doc linked above to configure the Redirect URI accordingly for this setup. Namely

• Add https://<front-door-endpoint>/.auth/login/<provider>/callback as a valid Redirect URI in your AAD App
• Configure App Serice to use the right Redirect URI as shown in the docs. Here are the same steps for reference

This configuration cannot be done via the Azure portal today and needs to be done via az rest:

Export settings

az rest --uri /subscriptions/REPLACE-ME-SUBSCRIPTIONID/resourceGroups/REPLACE-ME-RESOURCEGROUP/providers/Microsoft.Web/sites/REPLACE-ME-APPNAME/config/authsettingsV2?api-version=2020-09-01 --method get > auth.json

Update settings Search for

"httpSettings": {
  "forwardProxy": {
    "convention": "Standard"
  }
}

and ensure that convention is set to Standard to respect the X-Forwarded-Host header used by Azure Front Door.

Import settings

az rest --uri /subscriptions/REPLACE-ME-SUBSCRIPTIONID/resourceGroups/REPLACE-ME-RESOURCEGROUP/providers/Microsoft.Web/sites/REPLACE-ME-APPNAME/config/authsettingsV2?api-version=2020-09-01 --method put --body @auth.json