Configuring Multi-Tenant Authentication in Azure App Services (2024)

At the heart of this process lies Azure, a cloud-based identity and access management system. Key concepts to understand:

Tenants: A tenant in Azure Entra ID represents an organization. Each organization usually has its own dedicated tenant.
Users: Individual accounts reside within a tenant, representing employees, guests, etc.
Applications: Software services like your web app need to be registered in Azure Entra ID for it to manage their access and authentication.
Permissions: These define what actions your app can perform on behalf of a signed-in user (e.g., reading their profile, accessing files).

Single-Tenant: Apps designed for users within a single organization. Only users from the same Azure Entra ID tenant as the app can access it.
Multi-Tenant: Apps accessible by users across multiple Azure Entra ID tenants, broadening your app’s potential user base.

Every app interacting with Azure AD needs to be registered.

Once registered, you’ll need the following from your app’s overview page:

Application (Client) ID: A unique identifier for your app.
Directory (Tenant) ID: Identifies the Azure AD tenant where your app is registered.

You’ll need an App Service Plan and an App Service Web App. The transcript nicely details this, but I’ll summarise the key points:

Create App Service Plan: Choose your resource group, operating system (Windows or Linux), and region.
Create App Service Web App: Give your app a name (this becomes part of the URL), select your App Service Plan, and configure the runtime stack.

Recommended by LinkedIn

Securing APIs with Azure Active Directory Mohammad Tarem 1 year ago

Azure Active Directory Kajal Kiran 1 year ago

Configuring Active Directory authentication over SMB… Toby Skerritt 4 years ago

Identity Provider: Select “Azure Active Directory”.
App Registration: Choose “Pick an existing app registration in the directory” and select the app you registered in Step 1.
Authentication Actions: Configure how your app should handle users who haven’t signed in. For most cases, “Restrict access” with the “Require authentication” option is ideal.

Azure AD needs to know where to send users after authentication:

Back to Azure AD: Go to “App Registrations” and find your app.
Authentication: Select “Authentication” under “Manage”.
Add a Platform: Click “+ Add a platform” and choose “Web”.
Redirect URI: Paste the base URL of your App Service Web App, followed by /.auth/login/aad/callback (Example: https://demo-app-multitenant.azurewebsites.net/.auth/login/aad/callback).
Implicit Grant: Select “ID tokens” only.
Configure: Click “Configure” to save the redirect URI.

Step 6: Understanding the Client Secret (Optional)

Azure automatically generates a secret for your app and it’s visible in two places:

App Registrations -> Certificates & Secrets: View and manage the secret.
App Service -> Configuration -> Application Settings: Automatically stored under the setting name “Microsoft_Provider_Authentication_Secret”.

It’s Time to Test!

Incognito/Private Window: Open a private browsing window in your browser.
App URL: Paste your app’s URL.
Login: You should be redirected to a Microsoft login page and prompted to sign in with an account from a different Azure AD tenant than the one where the app is registered.
Consent: Users might be prompted to consent to your app accessing their information.

Troubleshooting: “Reply URL does not match…”

If you get this error, double-check your redirect URI settings in Azure Entra ID. Ensure it’s exactly as described in Step 5.

Beyond the Basics

Permissions: Explore API permissions in Azure Entra ID to fine-tune what your app can do on behalf of users.
Custom Domains: For a more branded experience, you can add a custom domain name to your App Service.