Enable Authentication and Authorization with Microsoft Entra ID

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, choose Authentication to access the authentication and authorization settings available for the selected Container App.

07 On the Authentication page, search for the Microsoft identity provider. An identity provider is responsible for managing user identities and the authentication flow of your application. If Microsoft is not listed in the Identity provider section or there are no identity providers configured for your Container App, instead the Add identity provider button is displayed, authentication and authorization with Microsoft Entra ID is not enabled for the selected Azure Container App.

08 Repeat steps no. 5 - 7 for each Azure Container App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription:

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run containerapp auth show command (Windows/macOS/Linux) with the ID of the Azure Container App that you want to examine as the identifier parameter, to describe the identity providers configured for authentication and authorization. An identity provider is responsible for managing user identities and the authentication flow of your application:

az containerapp auth show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--query 'identityProviders'

07 The command output should return the list with the identity providers configured for your Container App:

{}

08 Repeat step no. 6 and 7 for each Azure Container App available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Container App, and choose Apply to list only the Azure Container Apps available in the selected subscription.

05 Click on the name (link) of the Azure Container App that you want to examine.

06 In the resource navigation panel, under Settings, select Authentication, choose Add provider/Add identity provider, and perform the following actions to configure authentication and authorization with Microsoft Entra ID:

1. For Basics, select Microsoft from the Identity provider dropdown list, choose a tenant type based on the kind of users that will be accessing your application, register a new application in Microsoft Entra ID (a client secret is automatically created), and configure your Container App to require authentication. Requiring authentication ensures that requests to your application include information about the caller. Choose Next: Permissions > to continue the setup.
2. (Optional) For Permissions, configure the Microsoft Graph permissions. Choose Add permission to add the permissions that a user of your applications will be prompted to consent when they sign in for the first time. The User.Read permission is generally recommended for proper app functionality. User.Read gives access to the sub claim, allowing the application to correctly identify the user over time and access basic user information.
3. Choose Add to apply the identity provider configuration. You are now ready to use the Microsoft identity platform for authentication in your Container App.

07 Repeat steps no. 5 and 6 for each Azure Container App that you want to configure, deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run containerapp list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Microsoft Azure Container App available in the selected subscription:

az containerapp list
	--query '[*].id'

05 The command output should return the requested Azure Container App IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-openai-container-app"
]

06 Run ad app create command (Windows/macOS/Linux) to register a new application in Microsoft Entra ID:

az ad app create
	--display-name tm-project5-app-registration

07 The command output should return the information available for the new app registration:

{
	"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
	"addIns": [],
	"api": {
		"acceptMappedClaims": null,
		"knownClientApplications": [],
		"oauth2PermissionScopes": [],
		"preAuthorizedApplications": [],
		"requestedAccessTokenVersion": null
	},
	"appId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"appRoles": [],
	"applicationTemplateId": null,
	"certification": null,
	"createdDateTime": "2024-11-15T10:21:25.4520868Z",
	"defaultRedirectUri": null,
	"deletedDateTime": null,
	"description": null,
	"disabledByMicrosoftStatus": null,
	"displayName": "tm-project5-app-registration",
	"groupMembershipClaims": null,
	"id": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"identifierUris": [],
	"isDeviceOnlyAuthSupported": null,
	"isFallbackPublicClient": null,
	"keyCredentials": [],
	"nativeAuthenticationApisEnabled": null,
	"notes": null,
	"optionalClaims": null,
	"publisherDomain": "domain.onmicrosoft.com",
	"requestSignatureVerification": null,
	"requiredResourceAccess": [],
	"samlMetadataUrl": null,
	"serviceManagementReference": null,
	"servicePrincipalLockConfiguration": null,
	"signInAudience": "AzureADMyOrg",
	"tokenEncryptionKeyId": null,
	"uniqueName": null,
	"verifiedPublisher": {
		"addedDateTime": null,
		"displayName": null,
		"verifiedPublisherId": null
	}
}

08 Run containerapp auth microsoft update command (OSX/Linux/UNIX) with the ID of the Azure Container App that you want to examine as the identifier parameter, to add Microsoft Entra ID as identity provider for the specified Container App:

az containerapp auth microsoft update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--client-id "abcd1234-abcd-1234-abcd-1234abcd1234"
	--client-secret "<client-secret-value>"
	--tenant-id "abcdabcd-1234-abcd-1234-abcd1234abcd"
	--yes

09 The command output should return the registration information available for your Container App:

{
	"isAutoProvisioned": false,
	"registration": {
		"clientId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"clientSecretSettingName": "microsoft-provider-authentication-secret",
		"openIdIssuer": "https://login.microsoftonline.com/abcdabcd-1234-abcd-1234-abcd1234abcd/v2.0"
	}
}

10 Run containerapp auth update command (OSX/Linux/UNIX) to configure your Azure Container App to require authentication. Requiring authentication ensures that requests to your application include information about the caller:

az containerapp auth update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerapps/tm-project5-container-app"
	--enabled true
	--action "Return403"

11 The command output should return the authentication configuration information available for the modified Azure Container App:

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.App/containerApps/tm-project5-container-app/authConfigs/current",
	"name": "current",
	"properties": {
		"encryptionSettings": {},
		"globalValidation": {
			"redirectToProvider": "Microsoft",
			"unauthenticatedClientAction": "Return403"
		},
		"identityProviders": {
			"azureActiveDirectory": {
				"isAutoProvisioned": false,
				"registration": {
					"clientId": "abcd1234-abcd-1234-abcd-1234abcd1234",
					"clientSecretSettingName": "microsoft-provider-authentication-secret",
					"openIdIssuer": "https://login.microsoftonline.com/abcdabcd-1234-abcd-1234-abcd1234abcd/v2.0"
				}
			}
		},
		"login": {
			"cookieExpiration": {},
			"nonce": {},
			"preserveUrlFragmentsForLogins": false,
			"routes": {}
		},
		"platform": {
			"enabled": true
		}
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.App/containerapps/authconfigs"
}

12 Repeat steps no. 6 - 11 for each Azure Container App that you want to configure, available within the current subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.