none
Why requiring creating two AAD Application to set up AAD Authnetication ?

Answers

  • The two AAD applications are not required, but is prescribed as a best practice.
    The first AAD application is to secure your Web API.
    The second AAD application is to secure the Custom API – which is a “proxy” that is created in the Flow / PowerApps ecosystem.  The second AAD app gives you an abstraction layer between direct access to your Web API and a user accessing your API through PowerApps / Flow.

    “And the second AAD application has a Reply URL of https://msmanaged-na.consent.azure-apim.net/redirect. Whose is that URL and what does that application do?”

    The redirect URL points to the secure token store managed by the Flow/PowerApps ecosystem. The tokens are used to make on-behalf calls by PowerApps and Flow on-behalf of the user to the underlying service (in this case your Web API)

    • If you used the same AAD application to secure the Custom API as your App Service
    o Theoretically, the Flow/PowerApps ecosystem can access your service as any user without requiring consent.
    o It would also be difficult to know the difference between an actual user making a request vs request being made on behalf of a user via an application
    o If your Custom API was ever compromised, you would have to reset the AAD app for all the users of your service, as opposed to revoking/blacklisting the compromised AAD application securing the custom API.
    o You can also define and grant a subset of scopes with the 2 AAD app model. For eg: All users calling the Web API via the Custom API can only perform read operations.

    Thursday, May 04, 2017 2:23 AM
    Moderator

All replies

  • The two AAD applications are not required, but is prescribed as a best practice.
    The first AAD application is to secure your Web API.
    The second AAD application is to secure the Custom API – which is a “proxy” that is created in the Flow / PowerApps ecosystem.  The second AAD app gives you an abstraction layer between direct access to your Web API and a user accessing your API through PowerApps / Flow.

    “And the second AAD application has a Reply URL of https://msmanaged-na.consent.azure-apim.net/redirect. Whose is that URL and what does that application do?”

    The redirect URL points to the secure token store managed by the Flow/PowerApps ecosystem. The tokens are used to make on-behalf calls by PowerApps and Flow on-behalf of the user to the underlying service (in this case your Web API)

    • If you used the same AAD application to secure the Custom API as your App Service
    o Theoretically, the Flow/PowerApps ecosystem can access your service as any user without requiring consent.
    o It would also be difficult to know the difference between an actual user making a request vs request being made on behalf of a user via an application
    o If your Custom API was ever compromised, you would have to reset the AAD app for all the users of your service, as opposed to revoking/blacklisting the compromised AAD application securing the custom API.
    o You can also define and grant a subset of scopes with the 2 AAD app model. For eg: All users calling the Web API via the Custom API can only perform read operations.

    Thursday, May 04, 2017 2:23 AM
    Moderator
  • Thank you very much Sadiqh Ahmed for the detailed answer and clarifying the confusion I had.

    It has really saved my time.Thank you again !

    Best Regards,


    Dipti Chhatrapati

    Thursday, May 04, 2017 5:44 AM