Azure Active Directory’s hidden feature — Easy Auth

Imagine you have e.g. an ASP.NET MVC application running on App Services in Azure.

All well and good but now you decide that this application is not open. You only want to allow users that are in your Azure AD tenant to access it.

In other words, your users have to authenticate.

Off you go to Bing or Google and two hours later, you are hopelessly confused and your head is swimming.

You’ve found posts about WS-Federation, about SAML, about OpenID Connect and OAuth, there were references to OWIN NuGet packages, someone suggested using ADAL (Active Directory Authentication Library), your colleague did something similar back in the day with WIF (Windows Identity Federation) and that post on StackOverflow asked if this was in the context of Office 365 and was your tenant federated with ADFS (Active Directory Federation Services)?

Relax, the cavalry is heading all this off at the pass and you can make you life much simpler by using a little known feature of Azure AD colloquially called “Easy Auth”.

At the moment, users going to your web site see a page something like this:

They do not have to authenticate.

To turn on “Easy Auth”, in the Azure Portal, click on “App Services”.

This will display the ones you have configured.

Click on the app service you want to have authenticated.

In the settings, click on “Authentication / Authorization”.

Set the authentication to “On” and change the drop down to “Login with AAD”.

Don’t worry about the social providers for the moment.

Be sure to click the “Save” button (In the image above top left).

Now when you navigate to your application, you will be redirected to the Azure AD login screen.

This was achieved with a few clicks. There was no need to alter and re-deploy any code and no knowledge is required about any of the authentication protocols.

Hence the name “Easy Auth”.

( Technically: “Easy Auth” is implemented as a native IIS module that runs in front of your application. When enabled, every HTTP request dispatched to the IIS worker process must first pass through this module. If you are not authenticated, you get redirected).