How does application validate the authenticated token from Azure Active Directory?

Question

I have an application which is sitting behind WAF (Web Application Firewall).

Application is using Microsoft Active Directory for authentication.

Here are the steps

1. User try to access the application using the browser.
2. WAF layers see that REQUEST is not authenticated, hence forward it to Azure Active Directory
3. AAD shows the login page and the user enters username/password/MFA
4. Now token from AAD send back to the browser and it will be sent to the backend application

Now question is,

• How backend application verify this token? Does it need an outbound connection to AAD or will it talk to AAD through WAF and browser?
• Do I need to have NSG rules (outbound ) to talk with AAD?

Answer 1

I have resolved the issue by using service tag feature in NSG. Backend application need to be able to reach AAD in order to validate the access token.

I have added outbound rule with Destination Service Tag Azure Active Directory as shown below.

Here is the link: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Answer 2

It depends on which auth flow you are using.

• For Authorization code flow, your application would need to talk to AAD to redeem auth code for access token and refresh token via back channel. So, you would need to allow connection to AAD (login.microsoftonline.com).

• For Implicit grant flow, it's browser which directly gets access token from AAD via front channel. So, in that case, you won't need whitelisting in backend WAF.