azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Azure web app accessing SQL as user tutorial invalid for Gov

Open Aashishkebab opened this issue 1 year ago • 3 comments

The Azure tutorial for setting up a web app that impersonates the user with Microsoft Identity is both out-of-date (the materials it references have changed), and more importantly, don't seem to work for gov cloud.

Gov Cloud does not have access to Cloudshell. and the commands provided don't work.

Tutorial: https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-app-access-sql-database-as-user-dotnet?tabs=ef%2Cdotnet&tryIt=true#code-try-2

In step 4, running the command authSettings=$(az webapp auth show --resource-group <group-name> --name <app-name>) results in this error:

'authSettings={ id: /subscriptions/REDACTED/resourceGroups/REDACTEDGroup/providers/Microsoft.Web/sites/REDACTED/config/authsettingsV2, location: USGov' is misspelled or not recognized by the system.

The actual location is "USGov Virginia".

Note that the URIs are also different and Gov Cloud has very poor documentation compared to the normal.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Aashishkebab avatar Jun 01 '23 00:06 Aashishkebab

@Aashishkebab Thanks for your feedback! We will investigate and update as appropriate.

SaibabaBalapur-MSFT avatar Jun 01 '23 04:06 SaibabaBalapur-MSFT

Aashishkebab, Azure Cloud Shell in Azure Government is only accessible through the Azure portal. It's documented in the doc Troubleshooting & Limitations of Azure Cloud Shell || Azure Government limitations. Thanks for your feedback

AjayKumar-MSFT avatar Jun 01 '23 18:06 AjayKumar-MSFT

Aashishkebab, Azure Cloud Shell in Azure Government is only accessible through the Azure portal. It's documented in the doc Troubleshooting & Limitations of Azure Cloud Shell || Azure Government limitations. Thanks for your feedback

We use GCCH and there's no Cloud Shell in the portal that I could find. Regardless I got it to work with PowerShell locally, I just had to change the syntax.

But I'm still having issues.

Step 4 is the relevant one and where I am stuck. It wants me to run the following commands:

authSettings=$(az webapp auth show --resource-group <group-name> --name <app-name>)
authSettings=$(echo "$authSettings" | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid profile email offline_access https://database.windows.net/user_impersonation"]}')
az webapp auth set --resource-group <group-name> --name <app-name> --body "$authSettings"

Since it's Gov Cloud, the URI is different.

The final step fails with this error:

unrecognized arguments: profile email offline\_access 
[https://database.usgovcloudapi.net/user\_impersonation]
(https://database.usgovcloudapi.net/user_impersonation)\]       },       
registration: {         clientId: REDACTED,         clientSecretSettingName: 
MICROSOFT\_PROVIDER\_AUTHENTICATION\_SECRET,         openIdIssuer: 
[https://sts.windows.net/REDACTED/v2.0](https://sts.windows.net/REDACTED/v2.0)},       
validation: {         allowedAudiences: \[           api://REDACTED         \],         
defaultAuthorizationPolicy: {           allowedPrincipals: {}         },         
jwtClaimChecks: {}       }     },     facebook: {       enabled: true,       
login: {},       registration: {}     },     gitHub: {       enabled: true,       
login: {},       registration: {}     },     google: {       enabled: true,       
login: {},       registration: {},       validation: {}     },     
legacyMicrosoftAccount: {       enabled: true,       login: {},       
registration: {},       validation: {}     },     twitter: {       enabled: true,       
registration: {}     }   },   login: {     allowedExternalRedirectUrls: \[\],     
cookieExpiration: {       convention: FixedTime,       timeToExpiration: 08:00:00     
},     nonce: {       nonceExpirationInterval: 00:05:00,       validateNonce: true     
},     preserveUrlFragmentsForLogins: false,     routes: {},     tokenStore: {       
azureBlobStorage: {},       enabled: true,       fileSystem: {},       
tokenRefreshExtensionHours: 72     }   },   platform: {     enabled: true,     
runtimeVersion: \~1   } }

Aashishkebab avatar Jun 01 '23 18:06 Aashishkebab

Apologies for the delay from over the weekend. Typically, the GCC-High environment has different authentication settings compared to the regular Azure environment. Please take a look at this doc : Cloud feature availability for commercial and US Government customers

The doc steps doesn't apply to Azure Government cloud. I would request you to file a support ticket for a quick and specialized 1:1assistance. Thanks for your understanding and cooperation.

AjayKumar-MSFT avatar Jun 04 '23 17:06 AjayKumar-MSFT

Apologies for the delay from over the weekend.

Typically, the GCC-High environment has different authentication settings compared to the regular Azure environment.

Please take a look at this doc : Cloud feature availability for commercial and US Government customers

The doc steps doesn't apply to Azure Government cloud. I would request you to file a support ticket for a quick and specialized 1:1assistance. Thanks for your understanding and cooperation.

Hello,

Thanks for the response. Unfortunately support is another separate charge that's really expensive for GCCH, and not available for trial customers.

Aashishkebab avatar Jun 05 '23 02:06 Aashishkebab