Front Door + App Service with built-in authentication not working

Question

I'm trying to use App Service with standard App Registration built-in authentication behind a Front Door with no success.

My setup is:

1. An App Service "myapp.azurewebsites.com" with built-in authentication.
2. App Registration "app-auth" as auth provider.
3. I have "app-auth" configured in my App Service for automatic authentication via Provider.
4. Front Door "frontdoor.example.com" forwards requests to my App Service.

My App Registration "app-auth" has a redirect URL assigned the Front Door public name example "frontdoor.example.com".

Problems I'm having:

• App Service keeps sending it's own name "myapp.azurewebsites.com" as request_uri query string login in to Azure Active Directory. It must send the Front Door URL.
  
• Setting up "frontdoor.example.com" host header in Front Door fails, as it requires it to match the App Service name.

Am I missing some configuration? Or, do I need to use custom authentication when behind a Front Door?

Answer 1

In order for this to work, you need to add the custom domain (frontdoor.example.com) also to your app service. This can be done using DNS verification.

• Go to your App Service
• Go to Custom Domains
• Copy the Custom Domain Verification ID
• Add a new DNS TXT record with the copied value: TXT asuid.frontdoor.example.com. <verification id>

To ensure Front Door forwards the request Host Header, the Origin host header field in your Origin configuration must be blank.

Then, when Front Door forwards the request Host Header (Host: frontdoor.example.com) the App Service will recognize it and the Azure AD authentication will use it as for redirection.

Answer 2

For me worked changing the auth settings for the Azure Web app. First:

"httpSettings": {
  "forwardProxy": {
    "convention": "Standard"

By default, I had there "NoProxy".

Second:

"validation": {
      "defaultAuthorizationPolicy": {
        "allowedPrincipals": {}
      },
      "allowedAudiences": ["https://<my-url>.z01.azurefd.net",
                    "https://<my-app-url>.azurewebsites.net"]

I had to add this "allowedAudiences" with urls to frontdoor and original url of the web app. And the last:

"login": {
  "allowedExternalRedirectUrls": [

I had to add

https://<my-url>.z01.azurefd.net/.auth/login/aad/callback

Then it started to work. You can download the file by executing:

az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method get

Update it accordingly and the upload by executing

az rest --uri /subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Web/sites/<site name>/config/authsettingsV2?api-version=2020-09-01 --method put --body @auth.json