Azure Active Directory Application Components

Here's a diagram to show what are the main components involved in an Azure AppService deployment and configuration, between the actual application and the Azure Active Directory setup.

For those not familiar with Azure, it can get confusing between the concepts of Directory, Tenant, Subscription, and all the sub-components that need to be properly configured when deploying to Azure.

Hopefully this high-level diagram can clarify a bit more.

A few notes:

  • you can create several Tenants under a single Directory.
  • you can use Azure Active Directory in any Tenant (not necessarily the one where the application is deployed).
  • you can use the basic Azure Active Directory authentication and authorization features for free (without a Subscription attached to it), but as soon as you need advanced features (let's say MFA), then you need to buy one of the AAD Premium plans.
  • You do need a Subscription for deployment of apps
  • in this setup, a SSL Certificate is used for Mutual Client Authentication for both the Web App (between an F5 Load Balancer and the AppService), and the Web API (between Azure API Management and the backend API); for this to work you need to upload the certificate to API Management and the F5, as well as the AppServices. Also, remember to set the ClientCertEnabled boolean to True in the Resource Explorer of your AppServices. You most likely will setup also some Custom Host Name for your SSL Certificate in your AppServices.
  • in the AAD App Registration you setup Reply URLs, and OAuth2 Permissions to other Azure resources, as well as your App Roles in the App Manifest.
  • then you can assign the app to Users and Groups with specific Roles (AppRoleAssignment) in the Enterprise Applications section.
  • in API Management you can setup Users, Groups, Products and their User Subscriptions, and of course APIs with their SSL Certificate and Policies. You will need to create and configure an Authorization Server in the API Management Publisher Portal for each API that you intend to use through the Developer Portal.
  • also, you can see at the bottom of the image some APIs, such as ARM, APIM REST, and the two Graph APIs. These are used to automate all the above configuration activities that you can do manually in the Azure Portal.

Have fun!

Comments

  1. Very interesting, thanks for providing for more updates get touch with Azure Online Training

    ReplyDelete

Post a Comment

Popular posts from this blog

Cloud Computing using Microsoft Azure for Dummies

RabbitMQ on Kubernetes Container Cluster in Azure

PowerHell