Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure active directory application registration for localhost and production

I successfully registered my ASP.NET MVC application to work with Azure AD. Currently the Sign-on URL parameter (Azure Active Directory->App registrations->New Application Registration) looks like https://localhost:44302/

But for production it apparently will be another (say, https://mycoolapp.com)

How should set up the application so that I could use Azure AD locally (for ex. for debugging) and in production.

Changing the Sign-on URL parameter every time doesn't seem to be a good option.

like image 742
amplifier Avatar asked Oct 07 '18 16:10

amplifier


People also ask

How can I integrate my local Active Directory with an Active Directory on Azure?

To activate the Directory Sync for the created AD, from the left pane select Active Directory, then in the Active Directory page, click the Azure AD and select the DIRECTORY INTEGRATION tab. Then click ACTIVATED and finally click SAVE to confirm the changes.

Can you join Azure AD and local AD?

Yes you can keep the machines (Windows 10) in both states that is joined to local AD as well as joined to Azure AD. This type of setup is referred to as Hybrid AAD join scenario.

Which type of identity is created when registering an application with Azure AD?

Azure AD assigns a unique application (client) ID to your app, and you're taken to your application's Overview page. To add additional capabilities to your application, you can select other configuration options including branding, certificates and secrets, API permissions, and more.


1 Answers

Firstly, you can make it work easily without changing sign-on URL every time. You just need to make sure that both URLs.. i.e. https://localhost:44302/ as well as https://mycoolapp.com are available in the Reply URLs for this application.

The value for Sign-on URL that you give at the time of creating app registration goes into two places. It becomes the Home Page URL under Properties for your web application and it also gets added as the first URL in the Reply URLs collection for your web application. Just make sure to add a the second URL to the Reply URLs collection after your app is registered and that's all.

enter image description here

enter image description here

On a side note, even though you can make things work with a single app registration for both production and localhost debugging, you may want to think about having two separate application registrations for production v/s local development and give permissions to production application only for administrators/dev ops if it makes sense.

Imagine any sensitive settings, like if you are using a secret key for your web application, you may not want your development team to have access to secret key for your production app registration even while debugging code. You can always change which app registration gets used in dev v/s production code based on configurations.

It's some of the headaches like these where Managed Service Identities are very appropriate, but whether that makes sense or not is a little different discussion than this one.

like image 62
Rohit Saigal Avatar answered Oct 19 '22 04:10

Rohit Saigal