Search code examples
azure-active-directoryvisual-studio-2019connected-services

Adding Azure AD connected service overwrites Redirect URIs in AAD Portal

I have registered an application in Azure AD (aad.portal.azure.com). Azure AD portal I'd like to use this app registration for authentication using OpenIDConnect for several webapps with different hostnames. I can configure several redirect URIs in the portal.

When I create a new project in Visual Studio 2019 and use the Add connected services wizard, it asks me to specify whether to create a new Azure AD application (this option is not allowed by our AAD administrators but I don't want to do it anyway), or to use settings from an existing AAD application. Add connected services wizard

The problem is that whatever Redirect URI I specify here, when I save the connected service configuration, visual studio writes that Redirect URI back to the AAD portal and removes any Redirect URIs I already specified there.

I don't want visual studio to do this. Is there any way to suppress this overwrite behavior, maybe a setting in visual studio? Otherwise every time I create a new Visual studio solution and run the wizard, I'll need to recreate all of the URIs that were there previously.

If it makes a difference, the project type is .net5 current mvc.

Thanks.

Solution

  • I didn't find an official document about this behavior but it does exist.

    First of all what we need to know is that, although we can use one app registration for multiple applications/projects, it's not recommended to do so. Because according to the principle of least privilege, we should give different permissions to different applications instead of giving all permissions to all applications.

    Visual Studio Add Connected Service feature should follow this principle by default: one app registration is applied to one application. So it removes other redirect url and put the one you specified into App registration.

    There is a workaround to set the redirect url, which only requires you to do a small manual operation.

    Leave the Redirect URL as empty when adding Connected Service. It will use the project's SSL URL (eg. https://localhost:44372/signin-oidc) as the redirect url in your project and won't remove the direct urls in app registration.

    Then open Add Connected Service again and modify the Redirect URL as what you want, for example: https://localhost:47800/signin-oidc. After that, don't forget to add https://localhost:47800/signin-oidc into app registration manually.

    It will save more much time than recreating all of the URIs that were there previously.

    UPDATE:

    Try to do the change directly in launchUrl under launchUrlSettings.json file. And please note the real direct url is this launchUrl + CallbackPath (under appsettings.json file). So you need to modify CallbackPath as well. This won't update the portal.