Managing Authentication for APIs deployed in multiple region and Protected By Azure AD.

Anish Kumar 1 Reputation point
2020-01-09T19:32:09.237+00:00

Scenario:

  1. Registered a Web API in Azure AD to protect it and deployed the code in US region on web app named 'usapi' and having URI as 'usapi.azurewebsites.net'. With this registration, Azure AD will provide a Client Id which will be used to get access token.
  2. Provided access of the above Web API to some user called 'A' and now user 'A' can get access token defining the above client id.

Now, I need to deploy the same API in South East Asia region, I will create another web app named 'seaapi' and will deploy the same code. And I believe in order to protect the API, I need to register in Azure AD again and doing so will create a different Client Id.

Now question comes here:
Do I need to provide access of the API deployed in SEA region again to the user 'A'? And even if I will give access, won't the access token needs to be generated with new Client ID, in which case the user needs to know the Client Id of the API deployed in SEA region?

Whats the right approach to achieve the above?

Note: I will route the request of User 'A' either to US or SEA region from Traffic Manager.

@souravmishra-msft @Shashi Shailaj

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,830 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-01-10T08:46:39.59+00:00

    @AnishKumar7058,

    This issue can be approached in two ways that I can think of.

    1. In case you are using the Traffic Manager to route the traffic to different regions, in that case only if you publish you code for API on a WebApp hosted in a separate region for eg: SEA with the same reply URLs, I believe would work. When the user sends a request from SEA region, the traffic manager would itself route the traffic to the WebApp hosted in the SEA region and if the request is made from US region then the Traffic Manager would route the traffic to the WebApp hosted in US region.
      1. Secondly since you have two WebApps (one in US region and other in SEA region), you can specify two different Reply URLs for each of the WebApps. Then under the single App Registration in AAD, that was done earlier for the US hosted WebAPP, you can add the new reply URL for the SEA hosted WebApp. So, the app registration in AAD for the WebApp would have two reply URLs. Now when the user tries to login from US region, in the request to AAD, it would add the reply URL for the WebApp hosted in US region and based on that Reply URL, AAD would post the reply on that same reply URL, provided that URL is registered in the App Object present in AAD.

    Hope this helps.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    0 comments
  2. Anish Kumar 1 Reputation point
    2020-01-14T18:20:00.91+00:00

    Thanks @soumi-MSFT . I will work as per your comments and will update.

    0 comments