ryanpfalz/azure-vm-webapp-activedirectory

Example of how to enable Active Directory authentication on a web application hosted in an Azure VM.

azure-vm-webapp-activedirectory

---

Page Type	Languages & Frameworks	Services
Sample	PowerShell C# JavaScript ASP.NET	Virtual Machine Key Vault Active Directory

---

Enable Active Directory Authentication on a web application hosted on an Azure VM

This sample codebase demonstrates how to host a web application on an Azure Virtual Machine and authenticate users to it using Azure Active Directory via an app registration.

Prerequisite Tools

• Azure PowerShell (for setting up infrastructure via a script)

Running this sample

Setting Up the Azure Resources

The core infrastructure needs to be set up before an application can be published and registered with AD services.

1. To begin, replace the variables with your desired resource names and run the commands in the script found at infra/config.ps1. The script contains Azure PowerShell commands that set up a resource group, key vault, and virtual machine. Additional commands create a self-signed certificate, load it into the Key Vault, and install IIS on the VM.

   • This script closely follows the commands laid out in this tutorial.
   • Please note that the cloud infrastructure can be manually provisioned in the Azure Portal; using infra/config.ps1 is completely optional.
   • You may implement your preferred web server technology - this sample uses IIS throughout.

2. Create a rule in the Network Security Group (which was automatically created with the VM in Step 1) to allow inbound traffic on Port 443 (HTTPS).

3. Get the fully qualified domain name (FQDN) of the VM you just set up - you'll use it in the upcoming steps.

Publishing the Application

Once the resources have been provisioned, the application and authentication solution can be set up.

1. Create an App Registration.
2. Add the FQDN of the VM as a Redirect URI in the newly created app registration.
3. On the Quickstart blade, download the quickstart codebase that aligns to your requirements.
   • This project leverages the ASP.NET framework. Codebases for other frameworks (e.g., Java, Node, etc.) are available.
   • The application settings of the quickstart codebase will be preconfigured to reference the credentials of the app registration you created, which the app code will use to authenticate via Azure AD. If you leverage the code in this repository, you will need to update the ClientId in the app/AppModelv2-WebApp-OpenIDConnect-DotNet/Web.config file.
4. Install the codebase's dependencies and publish the codebase on the VM.
   • This may be done by setting up a development environment on the VM, or through a more advanced DevOps setup.
5. Serve the application via a web server technology (this project uses IIS).
   • In IIS, a new website should be created and pointed to the root directory of the application published in Step 4.
   • Create an SSL binding by adding the self-signed certificate generated above to the new website you just created. The hostname should be set as the FQDN of the VM.
   • You may need to grant permissions to the IIS_IUSR user to access public areas of the website.
6. Test the application by navigating to https://<FQDN of your VM>. If you used a self-signed certificate, you'll need to accept the security warning.

Application Architecture

Security Considerations

• To restrict application access and further improve security, you may consider implementing additional measures such as:

  • Adding restriction rules on the Network Security Group (e.g., to the IP range of your corporate VPN).
  • Implement a Web Application Firewall via App Gateway or Azure Front Door to protect against exploits and vulnerabilities.
  • Implement user-defined routes (UDR) and a Network Virtual Appliance to regulate traffic.

• If using RDP to log into the VM on your local computer, you will need to create a Network Security Group rule to allow inbound traffic on Port 3389. This exposes your VM to the public. To connect to your VM using a more secure method, use Azure Bastion.

• You may set up further security and stability measures on the VM, including configuring Azure Backup, installing an endpoint protection solution on the VM, and encrypting disks.

• Note that this sample codebase uses a self-signed public certificate - these certificates work well for testing in place of a CA-signed certificate. Self-signed public certificate are not trusted by default, can be difficult to maintain, and may use outdated hash and cipher suites that may not be strong. Purchasing and using a certificate signed by a well-known certificate authority is the recommended practice outside of testing environments.

Additional Considerations

• While the general premise will be compatible no matter which framework you use, the details of "Publishing the Application" may differ slightly if a framework other than ASP.NET is chosen.

Resources

• Set up IIS on Windows Virtual Machine
• Create a self-signed public certificate to authenticate your application
• Register an app in the Microsoft identity platform
• Sign in users in web apps using the auth code flow
• Secure a web server on a Windows virtual machine in Azure with TLS/SSL certificates stored in Key Vault
• Windows IIS Integration with Azure AD
• Add sign-in to Microsoft to an ASP.NET web app