Recently I had an issue when setting up Azure AD with a Service Principal / App Registration / Enterprise Application for a custom developed app when we wanted to use Conditional Access.

We started our journey with an App Registration that was setup and integrated with a LAMP application running on Azure so that we could use Azure AD for authentication. This was all setup and working fine, but when we wanted to start using Conditional Access we ran into problems. We found that the conditional access policy was setup and chosen to match to the app and then we wanted to make users MFA for this app. The problem that we had was that the conditional access policy never got executed and always failed to match the app even though it looked like all of the settings were correct. I managed to setup a sample with some advice from Steve Spencer (http://blogs.recneps.net/) who is a fellow Microsoft MVP. Once I had my sample working fine I compared it against the scenario we were having problems with and all of the json from the manifest seemed ok but I spotted a difference between the Azure AD Enterprise App in the portal. In the portal we could see that the menu for conditional access was missing even though when setting up a conditional access policy at the tenant level we could pick the application. The menu item shown below was not visible.

I had seen a few posts talking about the url not being right or the WindowsAzureActiveDirectoryIntegratedApp tag being missing but when we checked they all seemed to be there. I ended up using Powershell to create the app in Azure AD which seemed to work fine with the conditional access policy. If I created the app with Powershell then the menu was there and conditional access worked but if I created it through the portal it didnt work when we used conditional access and usually the menu didnt show. Ive no idea why this happens and assume its a portal issue as things change over time but I wanted to share what we did to make sure it works.

This is the powershell we used to create the App Registration and Enterprise App:

#Before you start do the below:
#1. Use Power shell 64bit
#2. Set-ExecutionPolicy Unrestricted
#3. Run following to install azure ad module -> Install-Module AzureAD

#Note it might ask to update nuget which is fine

#4. Login to Azure AD -> Connect-AzureAD


$appName = 'WebApp2'
$appUri = 'https://localhost:44398/'
$appHomePageUrl = 'https://localhost:44398/'
$appReplyUrl = 'https://localhost:44398/signin-oidc'

$myAppRegistration = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue
if($myAppRegistration -eq $null)
{
    $myAppRegistration = New-AzureADApplication -DisplayName $appName -IdentifierUris $appURI -Homepage $appHomePageUrl -ReplyUrls @($appReplyUrl)
    Write-Host 'App Registration Created'

    $myEnterpriseApp = New-AzureADServicePrincipal -AppId $myAppRegistration.AppId -Tags "WindowsAzureActiveDirectoryIntegratedApp"
    Write-Host 'Enterprise Application Created'
}
else
{
    Write-Host 'IGNORING = App Registration Already Exists'
}

In the script you can change the variables to meet the ones for your app.

If we wanted to check the settings then we were using the below script to compare the key settings:

$appName = 'WebApp2'

$myAppRegistration = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue
$myEnterpriseApp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue

Write-Host ''
Write-Host 'Enterprise App Settings'
Write-Host 'AppId:' $myAppRegistration.AppId
Write-Host 'DisplayName:' $myAppRegistration.DisplayName
Write-Host 'Homepage:' $myAppRegistration.Homepage
Write-Host 'ObjectId:' $myAppRegistration.ObjectId
Write-Host 'IdentifierUris:' $myAppRegistration.IdentifierUris
Write-Host 'ReplyUrls:' $myAppRegistration.ReplyUrls

Write-Host ''
Write-Host 'Service Principal Settings'
Write-Host 'AppDisplayName:' $myEnterpriseApp.AppDisplayName
Write-Host 'AppId:' $myEnterpriseApp.AppId
Write-Host 'ServicePrincipalType:' $myEnterpriseApp.ServicePrincipalType
Write-Host 'DisplayName:' $myEnterpriseApp.DisplayName
Write-Host 'ObjectId:' $myEnterpriseApp.ObjectId
Write-Host 'ReplyUrls:' $myEnterpriseApp.ReplyUrls
Write-Host 'Tags:' $myEnterpriseApp.Tags

And finally when we wanted to remove the Azure AD objects if we had done something wrong, etc we used the following:


$appName = 'WebApp2'

$myAppRegistration = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue
$myEnterpriseApp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($appName)'"  -ErrorAction SilentlyContinue

Remove-AzureADServicePrincipal -ObjectId $mySP.ObjectId
Write-Host 'Enterprise Application Removed'

Remove-AzureADApplication -ObjectId $myEnterpriseApp.ObjectId
Write-Host 'App Registration Removed'

When we were testing the process we used the following steps:

  1. Setup the Azure AD app with 1st script
  2. Check the conditional access menu is displayed for the Enterprise App
  3. Configure the application code with the right settings to use the app (note you may need to setup a token which the script doesnt do)
  4. Check you can log into the app with Azure AD
  5. Setup a conditional access policy for the application in Azure AD and set it to block access for all users
  6. Check we can see the conditional access policy listed under the Conditional Access menu for the enterprise app in the portal
  7. Login to the app again and authenticate against Azure AD, we should then see the conditional access policy kick in and block us

At this point we know the conditional access is working fine and we can now configure our access requirements such as MFA.

Hopefully this post might help someone else who has the same issue

 

Buy Me A Coffee