Azure Static Web App - Secure with AD SSO

Question

I have been testing the new Azure Static Web Apps, but have been unable to find out how I can secure for ex. an index.html file with Azure AD SSO. I know I can send invites, but how can I ensure the site can only be loaded by "all users" or "some groups" within my AD?

Thanks

Answer 1

You can do this using an external OIDC enabled IDaaS like Okta or Auth0

1. Create an Azure AD App Registration in your Azure AD tenant
2. for "Supported account types" select "Accounts in this organizational directory only (Single tenant)"
3. Create a client secret in the AAD app
4. Create an Microsoft (Social) IdP in your IDaaS platform (Okta, etc) using the client id and secret created in (1) and (3)
5. Create an app in your IDaaS platform
6. Create a group in your IDaaS platform (optional)
7. Assign the group to the app created in (5)
8. Create users you want to access the app in your IDaaS platform (only basic attributes required)
9. Assign users to the group created in (6)
10. Create a routing rule to route all app users for the app created in (5) to the IdP created in (4)
11. Use an Auth.js or similar package configure the app with your IDaaS org url and client id
12. Push this to a SWA via GitHub or Azure DevOps

Make sure you define routes in a routes.json file for SPAs otherwise SWA will not know what to do with these.

Now when anyone attempts to access the app, they will be redirected to an MSFT login screen for your AD tenant, and receive a code, token or id_token depending upon the flow and response_type you defined in your app

Answer 2

I don't believe Azure Static Web Apps currently supports Azure AD SSO. Azure Static Web Apps is still in preview. If you would like to request this as a feature please leave your feedback here.

In the meantime, you can try using routing in Azure Static Web Apps to customize rules and authorization behavior for both static content and APIs.The rules are defined as an array of rules in the routes.json file.

Based on the Documentation: "Routes are secured by adding one or more role names into a rule's allowedRoles array. See the example route file for usage examples. By default, every user belongs to the built-in anonymous role, and all logged-in users are members of the authenticated role. For instance, to restrict a route to only authenticated users, add the built-in authenticated role to the allowedRoles array."