mspnp
Unable to sign in when using existing app registration for authentication
Tool version 4.2.1
Describe the bug In setting up authentication for the App Service, I would like to re-use an existing App Registration rather than create a new one. However when I do this, it shows a 'We couldn't sign you in. Please try again.' error message.
To Reproduce Steps to reproduce the behavior:
- Go to App Service > Authentication >
- Click on 'Add identity provider'
- Select Microsoft
- App registration type: Pick an existing app registration in this directory
- Select the App Registration
- Click 'Add'
- Wait ~5mins
- Visit the App's URL
Expected behavior It should login and make Az Naming Tool available for use.
Screenshots
Installation Method Azure App Service deployed using Terraform. Azure Naming Tool built and deployed using Azure DevOps CI/CD pipelines.
Additional context When using the 'Create new app registration' option, it appears to work fine. If I disconnect from this app and then try to manually reconnect, it starts to fail again.
I have added the Redirect URI (https://app-appname-001.azurewebsites.net/.auth/login/aad/callback) and API scope on the App Registration so I can't see what I'm missing from the existing App Reg or why it stops working on the one which the App Service creates itself.
There are no specific aspects of the Azure Naming Tool in regards to Azure App Service authentication. The challenge you experiencing is due to your registration not being configured correctly for the App Service.
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration#advanced
I usually recommend clients create a new app registration, however, an existing one works too. You just have to be sure to set all the correct settings in the registration itself. As a starting point, I would create the app registration and review all the registration settings it creates, then duplicate those within the existing registration you would like to use.
Hope this helps!
- Bryan
Have experienced this same issue, webapp deployed via tf and gitlab runner using webapp deploy cli cmd. Without Authentication App works fine, Enable Auth and we experience issues with the app and even redoing a new app registration. Our's is also priv end pointed so does DNS name resolution become an issue within the app. Noticing sign in logs are 3-4 successful logins.
@captainhook - Eventually yes we managed to get it working.
Would you mind sharing what you did to resolve it? Thanks
@Rod-Welsh Could you share how you managed to get it working? I am planning to deploy this tool in my organization.
Hi @captainhook and @ebbypeter - apologies about the slow return. The root cause I found was allowing the app registration to get the audience token from management azure - Missing allowed token audience –“ [https://management.azure.com”]. I have attached the document that was provided to me via Microsoft. https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-apply-easy-auth-on-web-app-under-a-high-security-policy-environment/4139404
Hi @captainhook and @ebbypeter - apologies about the slow return. The root cause I found was allowing the app registration to get the audience token from management azure - Missing allowed token audience –“ [https://management.azure.com”]. I have attached the document that was provided to me via Microsoft. https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-apply-easy-auth-on-web-app-under-a-high-security-policy-environment/4139404
Legend - thank you! I will give this a try and then confirm/close this issue.