user2020832
Reputation: 35
How to Create Identity Provider using ARM template for azure function app?
How to Create azure identity provider in azure portal using ARM template for the azure functions.
ARM template to deploy the azure resources. I am able to create the azure functions but I also need to create the Authentication -> Identity provider (Microsoft) on the fly .
Upvotes: 3
Views: 2529
Answers (1)
AjayKumarGhose
Reputation: 4893
We have tried in our environment to create an Azure function with azure AD Authentication and Identity provider(Microsoft) with below template:
Prerequisites:-
- Register an Application in Azure AD(
AZURE AD>APP REGISTRATION). - Enable ID tokens (used for implicit and hybrid flows) .
ARM TEMPLATE:-
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "[concat('FuncApp-', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "The name of your Web Site."
}
},
"storageAccountName": {
"type": "String",
"defaultValue": "[concat('store', uniqueString(resourceGroup().id))]"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"clientId": {
"type": "string",
"metadata": {
"description": "ClientId of the APP registration to be used by the Function APP authentication"
}
}
},
"variables": {
"hostingPlanName": "[concat('hpn-', resourceGroup().name)]",
"storageAccountid": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('siteName')]",
"kind": "functionapp,linux",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"name": "[parameters('siteName')]",
"adminEnabled": true,
"enabledHostNames": [
"[concat(parameters('siteName'),'.azurewebsites.net')]",
"[concat(parameters('siteName'),'.scm.azurewebsites.net')]"
],
"hostNameSslStates": [
{
"name": "[concat(parameters('siteName'),'.azurewebsites.net')]",
"sslState": "Disabled",
"ipBasedSslState": "NotConfigured",
"hostType": "Standard"
},
{
"name": "[concat(parameters('siteName'),'.scm.azurewebsites.net')]",
"sslState": "Disabled",
"ipBasedSslState": "NotConfigured",
"hostType": "Repository"
}
],
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "python"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"
}
]
},
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
"clientAffinityEnabled": false
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2021-02-01",
"name": "[variables('hostingPlanName')]",
"location": "[parameters('location')]",
"kind": "linux",
"properties": {
"reserved": true
},
"sku": {
"Tier": "Standard",
"Name": "S1"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageAccountName')]",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS"
}
},
{
"name": "[concat(parameters('siteName'), '/authsettingsV2')]",
"type": "Microsoft.Web/sites/config",
"apiVersion": "2021-02-01",
"location": "[parameters('location')]",
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"redirectToProvider": "azureactivedirectory"
},
"identityProviders": {
"azureActiveDirectory": {
"enabled": true,
"registration": {
"openIdIssuer": "[concat('https://sts.windows.net/',tenant().tenantId,'/v2.0')]",
"clientId": "[parameters('clientId')]",
"clientSecretSettingName": "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
},
"login": {
"disableWWWAuthenticate": false
},
"validation": {
"jwtClaimChecks": {},
"allowedAudiences": [],
"defaultAuthorizationPolicy": {
"allowedPrincipals": {}
}
}
},
"facebook": {
"enabled": true,
"registration": {},
"login": {}
},
"gitHub": {
"enabled": true,
"registration": {},
"login": {}
},
"google": {
"enabled": true,
"registration": {},
"login": {},
"validation": {}
},
"twitter": {
"enabled": true,
"registration": {}
},
"legacyMicrosoftAccount": {
"enabled": true,
"registration": {},
"login": {},
"validation": {}
},
"apple": {
"enabled": true,
"registration": {},
"login": {}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
NOTE: In client id provide the app registration application id which you have created earlier
OUTPUT:- Deployed using:
az deployment group create -n TestDeployment -g <resourcegroupname> --template-file "C:\Path\to\template.json"
NOTE:- In APP Registration we have to add reply uri by using azure cli cmd with https://yourfunctionappname.azurewebsites.net/.auth/login/aad/callback
az ad app update --id <objectid> --reply-urls https://funcapp-xxxxxxx.azurewebsites.net/.auth/login/aad/callback
Tested Function app output:
Upvotes: 3
Related Questions
- ARM template for Azure Function with V2 Authentication
- how can I create user assigned identity and system assign identity with arm template on a app service
- Unable to use 'User-managed identity' with Azure Function App
- unable to deploy azure function app through the arm template
- Referencing a Managed Service Identity in ARM-template deploy
- ARM template storage account not found while creating Azure Function App
- Deploy Azure Function with ARM template
- how to create an azure function key in ARM template?
- How to deploy Azure Function app including code using ARM template from Azure marketplace
- Easy Authentication and Authorization in Azure Function App using ARM template