Create an app service and deploy the sample app that uses system-assigned managed identity to interact with App Config.
# Change directory to the SMI sample
cd serviceconnector-webapp-appconfig-dotnet\system-managed-identity
# Create a web app
LOCATION='eastus'
RESOURCE_GROUP_NAME='service-connector-tutorial-rg'
APP_SERVICE_NAME='webapp-appconfig-smi'
az webapp up --location $LOCATION --resource-group $RESOURCE_GROUP_NAME --name $APP_SERVICE_NAME
Parameter
Description
Example
Location
Choose a location near you. Use az account list-locations --output table to list locations.
eastus
Resource group name
You'll use this resource group to organize all the Azure resources needed to complete this tutorial.
service-connector-tutorial-rg
App service name
The app service name is used as the name of the resource in Azure and to form the fully qualified domain name for your app, in the form of the server endpoint https://<app-service-name>.azurewebsites.com. This name must be unique across all Azure and the only allowed characters are A-Z, 0-9, and -.
webapp-appconfig-smi
Create an app service and deploy the sample app that uses user-assigned managed identity to interact with App Config.
# Change directory to the UMI sample
cd serviceconnector-webapp-appconfig-dotnet\user-assigned-managed-identity
# Create a web app
LOCATION='eastus'
RESOURCE_GROUP_NAME='service-connector-tutorial-rg'
APP_SERVICE_NAME='webapp-appconfig-umi'
az webapp up --location $LOCATION --resource-group $RESOURCE_GROUP_NAME --name $APP_SERVICE_NAME
Parameter
Description
Example
Location
Choose a location near you. Use az account list-locations --output table to list locations.
eastus
Resource group name
You'll use this resource group to organize all the Azure resources needed to complete this tutorial.
service-connector-tutorial-rg
App service name
The app service name is used as the name of the resource in Azure and to form the fully qualified domain name for your app, in the form of the server endpoint https://<app-service-name>.azurewebsites.com. This name must be unique across all Azure and the only allowed characters are A-Z, 0-9, and -.
webapp-appconfig-umi
Create a user-assigned managed identity. Save the output into a temporary notepad.
az identity create --resource-group $RESOURCE_GROUP_NAME -n "myIdentity"
Create an app service and deploy the sample app that uses service principal to interact with App Config.
# Change directory to the service principal sample
cd serviceconnector-webapp-appconfig-dotnet\service-principal
# Create a web app
LOCATION='eastus'
RESOURCE_GROUP_NAME='service-connector-tutorial-rg'
APP_SERVICE_NAME='webapp-appconfig-sp'
az webapp up --location $LOCATION --resource-group $RESOURCE_GROUP_NAME --name $APP_SERVICE_NAME
Parameter
Description
Example
Location
Choose a location near you. Use az account list-locations --output table to list locations.
eastus
Resource group name
You'll use this resource group to organize all the Azure resources needed to complete this tutorial.
service-connector-tutorial-rg
App service name
The app service name is used as the name of the resource in Azure and to form the fully qualified domain name for your app, in the form of the server endpoint https://<app-service-name>.azurewebsites.com. This name must be unique across all Azure and the only allowed characters are A-Z, 0-9, and -.
webapp-appconfig-sp
Create a service principal, make sure to replace the yourSubscriptionID with your actual subscription ID. Save the output into a temporary notepad.
az ad sp create-for-rbac --name myServicePrincipal --role Contributor --scopes /subscriptions/{yourSubscriptionID}/resourceGroups/$RESOURCE_GROUP_NAME
Warning
Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
Create an app service and deploy the sample app that uses connection string to interact with App Config.
# Change directory to the service principal sample
cd serviceconnector-webapp-appconfig-dotnet\connection-string
# Create a web app
LOCATION='eastus'
RESOURCE_GROUP_NAME='service-connector-tutorial-rg'
APP_SERVICE_NAME='webapp-appconfig-cs'
az webapp up --location $LOCATION --resource-group $RESOURCE_GROUP_NAME --name $APP_SERVICE_NAME
Parameter
Description
Example
Location
Choose a location near you. Use az account list-locations --output table to list locations.
eastus
Resource group name
You'll use this resource group to organize all the Azure resources needed to complete this tutorial.
service-connector-tutorial-rg
App service name
The app service name is used as the name of the resource in Azure and to form the fully qualified domain name for your app, in the form of the server endpoint https://<app-service-name>.azurewebsites.com. This name must be unique across all Azure and the only allowed characters are A-Z, 0-9, and -.
Import the test configuration file to Azure App Configuration using a system-assigned managed identity.
Cd into the folder ServiceConnectorSample
Import the ./sampleconfigs.json test configuration file into the App Configuration store. If you're using Cloud Shell, upload sampleconfigs.json before running the command.
Import the test configuration file to Azure App Configuration using a user-assigned managed identity.
Cd into the folder ServiceConnectorSample
Import the ./sampleconfigs.json test configuration file into the App Configuration store. If you're using Cloud Shell, upload sampleconfigs.json before running the command.
Import the test configuration file to Azure App Configuration using service principal.
Cd into the folder ServiceConnectorSample
Import the ./sampleconfigs.json test configuration file into the App Configuration store. If you're using Cloud Shell, upload sampleconfigs.json before running the command.
Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
Import the test configuration file to Azure App Configuration using a connection string.
Cd into the folder ServiceConnectorSample
Import the ./sampleconfigs.json test configuration file into the App Configuration store. If you're using Cloud Shell, upload sampleconfigs.json before running the command.
Create a connection between your web application and your App Configuration store, using a system-assigned managed identity authentication. This connection is done through Service Connector.
system-identity refers to the system-assigned managed identity (SMI) authentication type. Service Connector also supports the following authentications: user-assigned managed identity (UMI), connection string (secret) and service principal.
Create a connection between your web application and your App Configuration store, using a user-assigned managed identity authentication. This connection is done through Service Connector.
user-identity refers to the user-assigned managed identity authentication type. Service Connector also supports the following authentications: system-assigned managed identity, connection string (secret) and service principal.
There are two ways you can find the client-id:
In the Azure CLI, enter az identity show -n "myIdentity" -g $RESOURCE_GROUP_NAME --query 'clientId'.
In the Azure portal, open the Managed Identity that was created earlier and in Overview, get the value under Client ID.
Create a connection between your web application and your App Configuration store, using a service principal. This is done through Service Connector.
service-principal refers to the service principal authentication type. Service Connector also supports the following authentications: system-assigned managed identity (UMI), user-assigned managed identity (UMI) and connection string (secret).
Create a connection between your web application and your App Configuration store, using a connection string. This connection is done through Service Connector.
secret refers to the connection-string authentication type. Service Connector also supports the following authentications: system-assigned managed identity, user-assigned managed identity, and service principal.
Validate the connection
To check if the connection is working, navigate to your web app at https://<myWebAppName>.azurewebsites.net/ from your browser. Once the website is up, you'll see it displaying "Hello. Your Azure WebApp is connected to App Configuration by ServiceConnector now".
How it works
Find below what Service Connector manages behind the scenes for each authentication type.
Service Connector manages the connection configuration for you:
Set up the web app's AZURE_APPCONFIGURATION_ENDPOINT to let the application access it and get the App Configuration endpoint. Access sample code.
Activate the web app's system-assigned managed authentication and grant App Configuration a Data Reader role to let the application authenticate to the App Configuration using DefaultAzureCredential from Azure.Identity. Access sample code.
Service Connector manages the connection configuration for you:
Set up the web app's AZURE_APPCONFIGURATION_ENDPOINT, AZURE_APPCONFIGURATION_CLIENTID
to let the application access it and get app configuration endpoint in code;
Activate the web app's user-assigned managed authentication and grant App Configuration a Data Reader role to let the application authenticate to the App Configuration using DefaultAzureCredential from Azure.Identity. Access sample code.
Service Connector manages the connection configuration for you:
Set up the web app's AZURE_APPCONFIGURATION_ENDPOINT to let the application access it and get the App Configuration endpoint. Access sample code.
save service principal credential to WebApp AppSettings AZURE_APPCONFIGURATION_CLIENTID. AZURE_APPCONFIGURATION_TENANTID, AZURE_APPCONFIGURATION_CLIENTSECRET and grant App Configuration Data Reader role to the service principal, so the application could be authenticated to the App Configuration in code, by using ClientSecretCredential from Azure.Identity.
Service Connector manages the connection configuration for you:
Set up the web app's AZURE_APPCONFIGURATION_CONNECTIONSTRING to let the application access it and get the App Configuration connection string. Access sample code.
Activate the web app's system-assigned managed authentication and grant App Configuration a Data Reader role to let the application authenticate to the App Configuration using DefaultAzureCredential from Azure.Identity. Access sample code.
Update the value of the key SampleApplication:Settings:Messages in the App Configuration Store.
az appconfig kv set -n <myAppConfigStoreName> --key SampleApplication:Settings:Messages --value hello --yes
Navigate to your Azure web app by going to https://<myWebAppName>.azurewebsites.net/ and refresh the page. You'll see that the message is updated to "hello".
Clean up resources
Once you're done, if you're not going to use these Azure resources any longer, delete them by running the az group delete command. This command deletes your resource group and all the resources within it.
az group delete -n <myResourceGroupName> --yes
Next steps
Follow the tutorials listed below to learn more about Service Connector.