Microsoft Container App Authentication

Pete 0 Reputation points
2024-03-14T20:52:51.79+00:00

Hi,

I am trying to setup authentication for an Azure Container App. I followed the documentation and have done the same for many other container apps and functions. It is setup with Microsoft for the provider and only for my tenant and I created a new app registration for this app. I then gave myself Reader role access but when I try to get a token for scope api://<app-id>/.default it doesn't work (my usual process).

I think the reason for this is that I recently created another app registration under the same tenant that requires admin consent to access since it provides access to Microsoft Graph API. Any ideas how I can get around this? I think one fix would be giving admin consent, but I would prefer not to do that.

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
270 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,549 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Grmacjon-MSFT 16,101 Reputation points
    2024-04-04T18:43:39.92+00:00

    Hi @Pete have you tried using a different App Registration? If the issue is indeed due to the new app registration that requires admin consent, you could consider using a different app registration that doesn’t require such consent.

    Also if your container app logic allows it, request a more granular scope instead of api://<app-id>/.default. Use a scope specific to your container app's needs, like:

    • api://<app-id>/read (for read-only access)
    • A custom scope defined within your app registration (for specific actions)
    • This way, your container app only requests the minimum permissions it needs, reducing potential conflicts.

    Please let us know if you have future questions.

    0 comments