Azure "Enable AD Authentication" with deployment slots

Question

I have an Azure WebApp and have activated the "Active Directory Authentication" in the Azure Preview Potal. Let's call it https://mysite.azurewebsites.net (not a real URL) Whis works as expected. However, when we add a deployment slot, we can't get authentication to work properly. When accessing the staged WebApp, e.g. https://mysite-staging.azurewebsites.net (not a real URL), we get redirected to

https://login.microsoftonline.com/<our-directory-guid>/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmysite-staging.azurewebsites.net/....

But the login portal gives us an error message:

AADSTS50011: The reply address 'https://mysite-staging.azurewebsites.net/<our-appliction-guid>/login' does not match the reply addresses configured for the application: .

The problem is, the WebApp does not show up as an application in our directory, so we can't set up alternate reploy URLs for it.

Is there any way to specify alternate addresses for WebApps, so that Azure AD login will work for deployment slots?

Answer 1

When you create the deployment slot, you need to re-setup the authentication for it, as if it's a new application. (From an app-service perspective, it is.)

The steps are roughly:

1. In the portal, go to your deployment slot under your app-service.
2. go to authentication/authorization
3. Go through all the steps to setup your authentication/authorization the same as for your production app. (Authenticate via AzureAD, Choose the provider, etc.)

4. Under "Manage App" in the staging environment, go to settings, and add new reply URL's for your staging environment. You should have your regular reply URL, and then the staging version:

   • https://myapp.azurewebsites.net/signin-oidc
   • https://myapp-staging.azurewebsites.net/signin-oidc

You should then be able to get in.

One weird thing that happened to me, is this didn't work, then I went into the staging authentication, and turned it off. That made everything work, and it correctly authenticated and didn't let me in if I wasn't signed in.

(I realize I'm posting this answer years after the original question, but after spending the better part of a week figuring it out, and this question repeatedly came up on searched, I wanted to document what I ended up doing in case someone else has a problem.)

Answer 2

I sure this will not fix the deployment slot is still pointing to live app but this fix this error as it is very silly.

AADSTS50011: The reply address 'https://mysite-staging.azurewebsites.net//login' does not match the reply addresses configured for the application: .

When you configure your URL under the application settings in Azure AD, you forgot… a trailing slash! That’s it! Can you believe that?

    In other words, change this:
    http://yoururlforyourapp

    to this:
    http://yoururlforyourapp/

    Done! You’re welcome. 

From http://www.matvelloso.com/2015/01/30/troubleshooting-common-azure-active-directory-errors/

Answer 3

Unfortunately it looks like you ran into some bugs in that version of the preview portal.

The Reply URL issue is likely because you created the staging slot after you configured auth on the production slot. In that version, we cloned the auth settings so your staging slot ended up pointing to the existing AAD application without adding the new Reply URL. This issue has been fixed by not auto-cloning auth settings when a new slot is created.

In any case, you should be able to find your application in the AAD management portal. If you're not able to see it, it could be because you need to change the "Show" dropdown filter from "Applications my company uses" to "Applications my company owns". Locating it and adding the staging Reply URL would have also worked around the issue mentioned above.

The error message you saw when trying to re-configure auth on your staging slot was likely another bug in the management portal if you were only seeing it on that staging slot.

The Authentication / Authorization blade has been radically updated since your question was asked, and all of these issues should be fixed now. Sorry for the inconvenience. I hope you were able to make progress in spite of these issues.