Easy Auth with Entra External ID and Azure app services
Entra External ID is also called CIAM.
The dev. blog is here.
The docs. are here.
As per the docs., you would use this when:
- “You want less code to own and manage.
- Your app’s language and SDKs don’t provide user sign-in or authorization.
- You don’t have the ability to modify your app code (for example, when migrating legacy apps).
- You need to handle authentication through configuration and not code.
Note that several identity providers are supported:
- Microsoft Entra
- Microsoft Account
- Twitter”
This is similar to the OpenAM concept of an agent, i.e. an authentication proxy between the client and the application. When the client accesses the application and hasn’t yet authenticated, the proxy redirects to the login screen. This happens outside of the application.
A common use case is an old legacy application whose code “has been lost.” Using the agent flow enables modern auth. without having to tamper with the application.
This quick start will help us create a .NET Core application and deploy it to app services using Visual Studio with .NET 8.0.
Note that we set the “Authentication type” to None. The agent will handle the authentication.
Build the app. and run it:
Notice that we didn’t have to authenticate, and there is no “Sign In” button.
Right-click and publish, and you should see the same screen deployed as:
easyauthnetcorexxx.azurewebsites.net
In the resource group you selected when you deployed the application, find your app name and click it.
Under Settings / Authentication, select “Add identity provider”:
Select “Microsoft”:
Then select “External configuration” (as we are doing this for Entra External ID), select “Create new app registration”, and select the CIAM tenant you want to handle the authentication.
Then “Configure”.
We are now on the same screens as when we configure Entra External ID.
First, we select an existing user flow (or you can create a new one).
Then select the look and feel of the UI:
Then configure the extra requirements and click “Add”:
You will then see a summary page:
This should now have created an app. registration for your CIAM tenant.
Check that “Accounts in this organisational directory only” is selected.
Also note that in our CIAM tenant, the new application has been added to the SUSI user flow applications:
Now, when we refresh the app. service application, we see a login screen:
We enter the password, and we are back to the app. home page 😃
The app still does not have a log-in button, which shows that it has not been altered and the agent handled the authentication.
We did not have to add any code or use one of the MSAL libraries.
Everything was done via configuration.
It’s called Easy Auth for a reason 😆
All good!