How to authenticate against AD from custom app service api code?

Roby Skariah 1 Reputation point
2020-02-05T03:25:25.32+00:00

We have a custom web service hosted on an OnPrem windows IIS server. This api when called, logs off or breaks the signed in user session(user signed in to Sharepoint online-O365), and tries to authenticate the user again, against OnPrem AD using windows authentication. User will be forced to re-enter windows AD credentials again to log back in. This is an additional layer of authentication incorporated.

Now, question is, can I migrate this Web service/api to Azure App service. I understand by changing the hosting platform to Azure app service from a windows On prem IIS server, same windows authentication cannot be done. But instead I like to know if we can do similar fashioned authentication against Azure AD. Basically an additional prompt. Rest of the functionality should remain same. What could be a foreseeable challenge here? is it straight forward? I may not need windows pop up. In this case may be Microsoft sign in page is what I am expecting.

Now, if I can authenticate same way as against OnPrem AD from the app hosted in Azure app service, I would be delighted. We already have an express route connectivity established between our OnPrem domain and Azure tenant.

Any solution or comments are helpful.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,875 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,474 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-02-05T08:58:47.3+00:00

    @Roby Skariah , Yes, if your app uses the legacy auth protocols like Kerberos and would like to protect it with Azure AD, then you can consider using App Proxy. You can publish your On-Premises app(hosted on IIS Server) directly on App Proxy and utilize the protection of AAD as well as your onPrem AD. THis would be a better move forward without breaking your existing setup.

    Incase your app already has the code for kerberos based authentication and you want to completely migrate your app to App Services from your IIS, its not going to work Because AAD works completely on modern web protocols like OAuth2, Open ID Connect and SAML.

    Having said that, if your app doesnt have any kerberos based auth code in your app, then you can deploy you app code to App Service and use the "Easy Auth" option. When you use Easy Auth, it would redirect you to the AAD's login screen, when you access the app. Then the user enters the username and password to AAD and gets authenticated with AAD. Once authenticated AAD simply redirects the user back to the app stating that the user is authenticated.
    In this case no authorization comes into picture.

    You can read more on Easy Auth here.

    Hope this helps. Do let us know in case any more queries around this.