Create an App Service for the Azure AD SCIM Microservice

Owned by
Phillip Hanegan
Last updated: Jun 15, 2022
3 min read

EmpowerID uses the Azure AD SCIM Microservice to make API calls to your Azure tenant in response to your actions in EmpowerID. As part of the deployment process for the microservice, an app service needs to be created to host the microservice and configured for Azure AD authentication, as well as with a managed identity that can be granted permissions to access resources protected by Azure AD.

To create and configure the app service, you need to complete the following tasks:

  1. Create the app service

  2. Configure the app service to authenticate to Azure AD using the service principal you created earlier

  3. Create a managed identity for the app service

Create the app service

  1. In Azure, navigate to All Services > App services and click Create.

  2. Under Project Details, select a Subscription and Resource Group for the App Service. If desired, you can create a new Resource Group.

  3. Under Instance Details, do the following:

    • Name – Enter a name for the Web App.

    • Publish – Select Code.

    • Runtime Stack – Select .NET 6.

    • Operating System – Select Linux.

    • Region – Select the appropriate region.

  4. Under App Service Plan, select an existing Linux Plan or create a new one.

  5. Click Review + Create.

  6. Click Create.

  7. After deployment completes, click Go to Resource and copy the URL from the Overview page. You will need this when you configure the app service for the EmpowerID Azure AD SCIM Microservice.

     

Configure authentication

  1. Navigate to the Authentication blade for the app service and click Add identity provider.

     

  2. Select Microsoft.

     

  3. Add the following identity provider information:

    1. App registration type – Select Pick an existing app registration in this directory.

    2. Name or app ID – Select the service principal you created to provide Azure AD authentication for the microservice.

    3. Issuer URL – Enter https://login.microsoftonline.com/<Your Tenant ID>

    4. Restrict access – Select Require authentication.

    5. Unauthenticated requests – Select HTTP 401 Unauthorized: recommended for APIs.

    6. Token Store – Leave selected.

    7. Click Add.

     

  4. After adding the Identity provider, click the Edit link for it.

     

  5. Set the Issuer URL to https://login.microsoftonline.com/<Your Tenant ID>.

  6. Under Allowed token audiences enter the URL for the app service.

     

  7. Click Save.


Create a managed identity for the app service

  1. Navigate to the Identity blade for the app service.

  2. Turn on System assigned to create the managed identity.

     

  3. Click Save and then click Yes to confirm that you want to enable system assigned managed identity.

     

Download the publish profile for the app service

  1. Navigate to the Overview page for the app service.

  2. Click Get publish profile and save the file to your machine. You use this file when publishing the EmpowerID Azure AD SCIM microservice to Azure.

     

Next Steps

https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2098987528

https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2098987639

https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2116911168

IN THIS ARTICLE


Â