none
Protect Azure container/VM using Azure AD login (Office 365) using configuration only? RRS feed

  • Question

  • Hi,

    We have some containers and virtual machines in our Azure tennant, and we would like to add some login requirements for some of them, using Azure AD login (Office 365). We already have the Azure AD up and running, and we use it for many services. But we would like to add this login requirement in Azure using configuration only, and no custom code. Is that possible?

    For example, lets say that one of the containers serves the website www.mycontainerwebsite.com, and we would like to block access to www.mycontainerwebsite.com/secret/ so that it is only accessible for users in our AD. If the user is not logged in, he should be redirected to login.microsoftonline.com (or similar), and only after a successful login should he be able to access that page.

    I know that it is possible to add logic to the website itself, because I have built it before, for an old site. It checks the login and performs the redirect if needed. But that site was hosted outside of Azure. Now the websites are hosted inside Azure, so I'm thinking that this feature should be available using only simple configuration in the Azure admin GUI itself, without any custom code needed. In my mind, I should only need to configure the URLS (maybe using regex), which Azure AD (or Azure AD App) to use, and possibly which user group the user must belong to.

    /J
    Monday, September 9, 2019 2:09 PM

Answers

  • As far as what i can understand from your query , I do not think this is possible within azure using any product. I think what you require is a reverse proxy like feature which is capable of authentication and authorizaton both , however i do not think we have anything available using just azure configuration. If you use the details i provided earlier , you may have to make some changes in the configuration . We have a product called Azure Application gateway however , I do not think it has authentication part in-built as per the expectations of your use case. 

    Or it may be possible by creating some custom solution using Nginx as reverse proxy and nginx auth module but I am not sure how to configure it as I have never done this. This is all theoretical which I can think as per my knowledge. This will need to be tested properly by some nginx expert before it can be implemented in production. If this works then you can place a VM with nginx in front of your application in azure and you wont have to modify any code in your app. I am not sure if nginx auth module have the capability of handling Oauth protocol because azure AD authentication works on oAuth protocol. 

    Hope this clarifies your query. Please let me know in case you have any further question on this and we will try to help you further. 

    Thank you. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!


    Friday, September 13, 2019 12:07 PM
    Moderator

All replies

  • Hello Name436

    Thank you for your query. From your query in the first section , I understand that you want to use Azure AD as a identity provider for your application hosted on the azure container/VM . Yes it is possible. 

    I believe in order to secure the website/web application (www.mycontainerwebsite.com) you would have to first add this website as a non-gallery Web application within Azure AD and then assign users to the same. This will be added as a non-gallery application since its a custom application created by your company. Once done you can assign users or groups who will have access to this applications. After this you can choose a sign-in method where you can specify how you would like to setup authentication for the users. In some cases you may have to modify your application code and the configuration may not necessarily be completely out of Azure Admin GUI based. You can check out the linked articles and some of the following for examples on Application registration/development with Azure AD. 

    https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-webapp

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-overview

    Hope the information helps. Please let us know in case you have any further query. 

    Thank you. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Wednesday, September 11, 2019 4:52 AM
    Moderator
  • Hi Shashi,

    Well, the identity provider feature is nice, but not the main requirement that I'm after. I am looking for something more like a gatekeeper or firewall, in that it should only allow access for logged in users, and it should handle the redirect if the user needs to login. So any application behind it should not have to worry about that, and should not need to have any code related to that.

    As far as I can tell, your suggested links require that our application handles some of this logic (using code), or that it in some other way is "aware" of this process. This I already know how to do, but not what I'm looking for here. I'm looking for something that can protect any kind of application over http, be it a custom node server, an nginx server, an apache server etc etc, without any modification in the application code or config.

    To explain a bit further what I want to achieve, we can compare with the networking security rules that we can add to a virtual machine in Azure. There we can specify that a request is allowed access to this VM over port 22 (for example), when the request comes from a specific IP. We want this, but in a more general term, so not only for a VM, and instead of a certain port number we want to specify a URL regex, and instead of IP number we want to specify "logged in user, belonging to user group X in our AD".

    Is this possible, using only Azure configuration?
    Wednesday, September 11, 2019 9:04 AM
  • As far as what i can understand from your query , I do not think this is possible within azure using any product. I think what you require is a reverse proxy like feature which is capable of authentication and authorizaton both , however i do not think we have anything available using just azure configuration. If you use the details i provided earlier , you may have to make some changes in the configuration . We have a product called Azure Application gateway however , I do not think it has authentication part in-built as per the expectations of your use case. 

    Or it may be possible by creating some custom solution using Nginx as reverse proxy and nginx auth module but I am not sure how to configure it as I have never done this. This is all theoretical which I can think as per my knowledge. This will need to be tested properly by some nginx expert before it can be implemented in production. If this works then you can place a VM with nginx in front of your application in azure and you wont have to modify any code in your app. I am not sure if nginx auth module have the capability of handling Oauth protocol because azure AD authentication works on oAuth protocol. 

    Hope this clarifies your query. Please let me know in case you have any further question on this and we will try to help you further. 

    Thank you. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!


    Friday, September 13, 2019 12:07 PM
    Moderator
  • OK. Thanks for the input. I'm marking it as the answer for now, maybe someone else has some other answer at a later stage. :)
    Friday, September 13, 2019 1:58 PM
  • Thank you. :)

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Monday, September 16, 2019 6:28 AM
    Moderator