I have created an App Service with Microsoft Authentication (Entra ID) in Azure. So while trying to browse the app, I am directly getting this You do not have permission to view this directory or page. Now if I generate OAuth2.0 Token in Postman and access the App, it is working. Now question is -
- Is it possible to setup the app service so that it will automatically prompt for login while browsing rather than You do not have permission to view this directory or page?
Yes, it is possible to set up an automatic login prompt for Azure App Service.
After creating an Azure Web App in Azure, navigate to Settings -> Authentication -> Add Identity Provider.
I selected Microsoft as Identity Provider.
I Used Workforce configuration for current tenant.
In App registration type I selected create new app registration
and supported account type is current tenant-single tenant
.
After selecting the required fields, I clicked the Add button.
It successfully Added the Identity provider to Azure Web app as shown below.
After browsing the Azure Web App URL, I was prompted with a page requesting permission for the app registration.
After Successful login I am redirect to my web page.
Is it possible to access the App Service via this Token without user login like OAuth?
Yes, it is possible to access App service Via Access Token without user Login.
Thank you @Intelli Tech for clear explanation.
I added App role to my App registration as shown below.
I created New App registration, I added Above App role to Api permissions.
Go to API permission -> Add a Permission -> My Apis ->Azure web app App registration ->Application permission-> Role -> Add Permission.
Make sure to Grant Admin Consent for App role.
In Postman or VS code thunder client extension I pass the below values to get the Access token.
In scope Client id should be the Azure web app Client Id.
Post:https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
grant_type=client_credentials
client_id={client-app-id}
client_secret={client-secret}
scope=api://{AzureWebApp-api-client-id}/.default
I used the access token above and was able to authenticate.