Share via


Call Azure AD protected website using Managed Service Identity (MSI)

Lets say you have Web APIs hosted in an Azure AppService and these Web APIs are protected using Azure AD (EasyAuth). Now you would like to consume them from another website. One approach is using Service Principal account, where you create an Azure AD Application and use ClientID and secret in your website to get an Azure AD Token. Here are the steps. Main disadvantage of this approach is that your application is responsible to protect the ClientID and secret. You can save them in the AppSettings instead of saving it in the web.config file. Or you can use Azure Key Vault. For Key Vault, your code needs to authenticate to access Key Vault.

Better approach is Managed Identity. This option allows to access protected Azure AD resources without any need for secrets or credentials in your code or in web.config. More details on Manage Identity can be found here 

Here are the quick steps to use Managed Service Identity Azure AppService

  1. Create a Azure AppService Website and protect it with Azure AD (EasyAuth). This will be our Web API website
  2. Create another Azure AppService Website and enable Managed Service Identity. This will be our client trying to consume above Web APIs
  3. Write code to get token using Managed Identity and pass it to Web API call

1. WebAPI website with EasyAuth

  • Log into Azure portal
  • Click on the “ + Create a resource” on top left
  • In the Search textbox type “web app
  • Select “Web App
  • Click on the “Create” button
  • Provide App name, resource group name, appservice plan
  • (in my sample code this is WabacOneAD)
  • Click on “Create” button
  • Once the website is created, go to the resource
  • Click on the “Authentication / Authorization” blade
  • Enable “App Service Authentication
  • Select “Log in with Azure AD” from dropdownbox
  • Select Azure AD as provider
  • Select Express option and click OK
  • Now click on the Save button

2. Website with MSI

  • Log into Azure portal
  • Click on the “+ Create a resource” on top left
  • In the Search textbox type “web app
  • Select “Web App
  • Click on the “Create” button
  • Provide App name, resource group name, appservice plan
  • (in my sample code this is WabacOne)
  • Click on “Create” button
  • Once the website is created, go to the resource
  • Click on the “Managed service identity” blade
  • Click on “On
  • Click Save button

3. Now for the code

  • Open Visual Studio

  • Create a new Website project (either .net core or .net framework)

  • Select MVC option

  • In the Home controller, add following code to About action

    
    public ActionResult About()
    {
        ViewBag.Message = "User Name is " + User.Identity.Name; 
        return View();
    }
    
  • In the Contact action, add following code

    
    static HttpClient client = new HttpClient();
    public ActionResult Contact()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();
        var accessTokenTask = azureServiceTokenProvider.GetAccessTokenAsync("https://wabaconead.azurewebsites.net/"); 
    
        accessTokenTask.Wait();
        var accessToken = accessTokenTask.Result;
    
        var url = "https://wabaconead.azurewebsites.net/home/about";
        client.DefaultRequestHeaders.Authorization =  new AuthenticationHeaderValue("Bearer", accessToken);
    
        var responseTask = client.GetStringAsync(url);
        responseTask.Wait();
        var response = responseTask.Result;
    
        ViewBag.Message = "Your contact page." + accessToken + " HTML Response " + response;
    
        return View();
    }
    
  • You may need to add Microsoft.AzureServices.AppAuthentication NuGet Package

  • Now deploy this website to above two websites

  • When you access the first website, you get promoted for Azure AD credential so we are sure that this website is protected with Azure AD

  • Now try to access Home/About…this should return your email address you have used to log into Azure AD

  • Now browse to the second website, access the Home/Contact…this should call the first website and display the content. Now check for the username (search for text “User Name is”)

4. Note, there is a bug in the EasyAuth / Express options.

It doesn't add the website URL in the allowed token audiences. Follow these steps to fix this bug

  • Go to the first website in Azure portal
  • Click on the Authentication / Authorization blade
  • Click on the Azure AD
  • Change it from Express to Advanced
  • In the Allowed Token Audiences add your website URL as shown below
  • Click OK
  • Click Save

MSI