How To Configure & Deploy AAD/B2C Blazor/Razor examples using bicep?

Siegfried Heintze 1,861 Reputation points

I would like to enhance the Blazor B2C Example and ASP.NET Razor B2C Example to be configured and deployed with bicep to the Azure App Service (as a Web App) with proper security as demonstrated in this keyvault/appconfig/bicep example & tutorial that I got working yesterday.

  1. Now this tutorial says that a client app id does not need to be stored in the key vault! Is this correct for AAD client id? I assume the client secret needs to be stored in the key vault. Correct?
  2. So these two AAD/B2C examples (mentioned above) are particularly trouble some when it comes to configuring the scopes using the and I would love to have some scripts. What options are available? Powershell? Az CLI? Bicep? I did not see any bicep files in the sample code. Can someone supply me with a sample bicep file that registers an AAD application and its downstream service (API), exposes the API with a scope and grants the application with access to the API and stores the clientids and client secrets in a key vault? I'm new to bicep.
  3. So there is a lot of stuff in the appssettings.json file for these sample AAD web apps. If I'm going to use an AppConfig & Key Vault as demonstrated in app-secrets-configuration example, is it necessary to move everything out of the appsettings.json file and into the Azure AppConfig or Azure KeyVault?

My first choice for AAD application registration script would be Bicep or ARM... If those are not supported, how about a powershell or CLI script?



2022 Mar 10 Thu Evening Update:

I found part of my answer in the bicep extension for VS code and a hint in this powershell script where they demo the New-AzureADApplication function. The problem is that I cannot figure out how to make the bicep extension to create the bicep counterpart of New-AzureADApplication. What is the bicep counterpart?

I'm studying the Powershelll documentation for new-AzureADApplication and it is not clear how I define a scope or expose an API. How would this be done?
2022 Mar 13 Sun Update:

@cmatskas on discord says that AAD is behind on support for powershell. I guess we have to use the REST API: microsoft-graph-operations? Maybe this is an example: app-registrations.ipynb?

2022 Mar 15 Tue Afternoon update:
I'm trying to avoid creating a snowflake! If I use app-registrations.ipynb I'm guessing I can get the Client secret and pass it to a bicep file as an argument and execute the bicep file immediately and that way the client secret never gets recorded on disk or checked into a git repository... I need some help understanding how to enhance app-registrations.ipynb to fetch the client secret and then call the bicep file with the client secret as a bicep parameter.

Please see azuredeploy.bicep because I'm trying to adapt this example to my needs by adding some additional key vault secrets as bicep parameters including the AAD client secret. I'm bing/google searching for specfying bicep parameters... No luck yet! ... wait! maybe this is it: azure-bicep-parameters? Hmmm... we have a powershell example... I'm going to try it... What about an Azure CLI example?

So when I edit azuredeploy.bicep I copy and paste lines 38-46 to make a new secret. I change lines 38&40 to create new names. How do I change line 44? Is "kvSecret" the name of the secret on line 75? Maybe... I'm going to try it and see if it works...
** 2022 Mar 16 Wed Morning Update: **
Oops, shame on me... I cross posted by accident yesterday. I apologize! That last question (immediately above) about about copying and pasting lines 34-46 of azuredeploy.bicep is already posted in my other query. I worked azuredeploy.bicep much of yesterday... No luck yet!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,141 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,989 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,774 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,561 Reputation points

    Apologies for the delayed response.

    I see you have already explored Azure AD cmdlet way to create app registration, wondering if you try with all require parameter for an example new app credential and set require API permission for resource access as shown below? Here is detailed guidance for your reference

    New-AzureADApplication -DisplayName $appName -IdentifierUris $appURI -Homepage $appHomePageUrl -ReplyUrls $appReplyURLs -PasswordCredentials $PasswordCredential -RequiredResourceAccess $reqGraph

    Once application has created then you can save secret in vault as explained below, for more details, refer to this article.

    $secretvalue = ConvertTo-SecureString "hVFkk965BuUv" -AsPlainText -Force

    $secret = Set-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "ExamplePassword" -SecretValue $secretvalue