Hangfire Azure authorization denied

Question

I have deployed my small application with Hangfire to Azure App service. (I've done this with another project)

I am trying to set it up with Azure Active Directory authorization. I went to the Azure portal and set it up in the app service's authentication/authorization settings: Turned on App service authentication, selected Azure Active Directory and added Configured (Express:Existing App) in the authentication providers menu (just like in the previous project). I then restart the app service.

Startup.cs contains:

public void ConfigureServices(IServiceCollection services)
        {
            services.AddHangfire(config => config
            .SetDataCompatibilityLevel(CompatibilityLevel.Version_170)
            .UseSimpleAssemblyNameTypeSerializer()
            .UseRecommendedSerializerSettings()
            .UseMemoryStorage());

            services.AddHangfireServer();
            services.AddRazorPages();
        }

public void Configure(
            IApplicationBuilder app, 
            IWebHostEnvironment env,
            IBackgroundJobClient backgroundJobClient,
            IRecurringJobManager recurringJobs)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Error");
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseStaticFiles();
            app.UseRouting();
            app.UseAuthorization();

            app.UseHangfireDashboard("/jobs", new DashboardOptions()
            {
                Authorization = new[] { new HangFireAuthorizationFilter() }
            });


            app.UseHangfireServer(new BackgroundJobServerOptions { WorkerCount = Environment.ProcessorCount * 5 });


            //backgroundJobClient.Enqueue(() => Console.WriteLine("Hello Hangfire job!!"));


            app.UseEndpoints(endpoints =>
            {
                endpoints.MapRazorPages();
            });
        }

HangFireAuthorizationFilter.cs contains:

public class HangFireAuthorizationFilter : IDashboardAuthorizationFilter
    {
        public bool Authorize([NotNull] DashboardContext context)
        {
            //Can use this for NetCore
            return !context.GetHttpContext().User.Identity.IsAuthenticated;
        }
    }

I publish to Azure successfully and login with my Azure account when prompted, and I get this message: You do not have permission to view this directory or page.

I've enabled logging in the azure app and I get this error message:

What exactly am I doing wrong? I am surely missing something but don't know what. If I disable the authorization from Azure, the deployment and the app itself works as intended.

Answer 1

After some trial and error in the Azure App service settings/configs, the following changes solved my problem:

• Added full URL without route in "Authentication" in App Registration

• Removed "Power BI"-permission from API Permissions in App Registration

• Granted Admin Consent for all predefined permissions in App Registration

• Changed "Action to take when request is not authenticated" to: "Log in with Azure Active Directory" in the App Service "Authentication/Authorization"

Answer 2

I can reproduce your issue on my side, I suppose you miss the API permission in your AD App, please try the steps below.

Navigate to the Azure Active Directory in the portal -> App registrations -> find your AD App corresponding to the web app with the filter All applications -> API permissions -> add the Delegated permission User.Read in Microsoft Graph.

Then when you use the user account in your AAD tenant to login the web app, it will ask you to consent the permission User.Read, after consent and login successfully, it will work fine.

---

Note: To consent the permission with a normal user, make sure Azure Active Directory -> Enterprise applications -> User settings -> Users can consent to apps accessing company data on their behalf is set to Yes.