
To set up Azure AD authentication on your website, you'll need to create an Azure AD application. This involves registering your application in the Azure portal.
You'll need to provide some basic information about your application, such as its name and redirect URI. The redirect URI is the URL that users will be sent to after they authenticate.
In the Azure portal, navigate to the Azure AD section and click on "App registrations". Click on "New application" to create a new application. Fill in the required information, including the name and redirect URI of your application.
The redirect URI should match the URL of your website. This is where users will be redirected after they authenticate.
Check this out: Migrate Azure Ad Connect to New Server
Azure AD Authentication Setup
To set up Azure AD authentication, you'll need to create a user flow. This flow defines the user experience when users try to sign in to your app. You'll need to create at least three separate user flows: a combined Sign in and sign up user flow, a Profile editing user flow, and a Password reset user flow.
Suggestion: Azure Ad User
Azure AD B2C will prepend "B2C_1_" to the user flow name, so be sure to include that in your flow names. For example, if you create a user flow called "susi", Azure AD B2C will use "B2C_1_susi" instead.
To enable your application to sign in with Azure AD B2C, you'll need to register your app in the Azure AD B2C directory. This establishes a trust relationship between your app and Azure AD B2C. You'll also need to specify the redirect URI, which is the endpoint to which users are redirected after they authenticate with Azure AD B2C.
Here's a quick rundown of the steps to register your app:
- Sign in to the Azure portal.
- Select App registrations and click New registration.
- Enter a name for the application and select the relevant account types.
- Set the redirect URI to a URL like https://localhost:44316/signin-oidc.
- Grant admin consent to openid and offline access permissions.
This will give you the Application (client) ID, which you'll need to configure your web application. Don't forget to record this ID for later use!
Explore further: Azure Ad vs Entra Id
Prerequisites
Before diving into the setup process, it's essential to be aware of the defaults and resources for authentication and authorization with Azure Static Web Apps. Any user can authenticate with a preconfigured provider.
To manage access and roles, you should understand that users belong to the anonymous and authenticated roles after sign-in. For more information about roles, see Manage roles.
You'll need to define rules in the staticwebapp.config.json file for authorized users to gain access to restricted routes. This will help you control who can access specific areas of your application.
To assign users custom roles, you have a few options. You can use the built-in invitations system, programmatically assign users custom roles at sign-in with an API function, or restrict sign-in to a specific Microsoft Entra ID tenant by configuring a custom Microsoft Entra ID provider.
Here are the key points to keep in mind:
- Define rules in the staticwebapp.config.json file for authorized users to gain access to restricted routes.
- Assign users custom roles using the built-in invitations system or programmatically at sign-in with an API function.
- Restrict sign-in to a specific Microsoft Entra ID tenant by configuring a custom Microsoft Entra ID provider.
Set up OIDC with YugabyteDB Anywhere
To set up OIDC with YugabyteDB Anywhere, you'll need to create an app registration in Azure AD. This involves registering YugabyteDB Anywhere in the Azure AD tenant and configuring Azure AD to send tokens with required claims to YugabyteDB Anywhere.
First, navigate to the Azure console and click on App registrations, then click New registration. Enter a name for the application, select the tenant, and set the redirect URI to a specific URL.
You'll also need to obtain the tenant ID and client ID from the application registration. To do this, click on the application's Overview page, then click on Endpoints. From here, you can view the client ID and tenant ID.
To configure OIDC in YugabyteDB Anywhere, you'll need to use the application you registered. You can also configure YBA to display the user's JSON Web Token (JWT) on the sign in screen.
To enable OIDC for universes, you'll need to set authentication rules for database access using flags. This will implicitly configure the database and pick up the authentication rules you set. The database will use well-known PostgreSQL constructs to translate these authentication rules into database roles for access.
You can map Azure AD attributes, such as group memberships, roles, and email addresses to database roles, using the PostgreSQL yb_hba.conf and yb_ident.conf files.
Here's a summary of the steps to register an application in Azure:
- Navigate to the Azure console and click on App registrations, then click New registration.
- Enter a name for the application, select the tenant, and set the redirect URI to a specific URL.
- Obtain the tenant ID and client ID from the application registration.
- Configure OIDC in YugabyteDB Anywhere using the application you registered.
Pass ID Token Hint
You can pass an ID token hint to Azure AD B2C by including an inbound JSON Web Token (JWT) as part of the OAuth2 authorization request. This token is a hint about the user or the authorization request.
To include an ID token hint in the authentication request, you need to complete the Support advanced scenarios procedure. This is a crucial step that enables advanced features in Azure AD B2C.
In your custom policy, you should define an ID token hint technical profile. This technical profile is essential for passing the ID token hint to Azure AD B2C.
To add the ID token hint to the authentication request, you need to add the following line of code to the OnRedirectToIdentityProvider function: `context.ProtocolMessage.IdTokenHint = idTokenHint`. This line of code sets the ID token hint as a property of the protocol message.
Here's a summary of the steps to pass an ID token hint:
- Complete the Support advanced scenarios procedure.
- Define an ID token hint technical profile in your custom policy.
- Add the following line of code to the OnRedirectToIdentityProvider function: `context.ProtocolMessage.IdTokenHint = idTokenHint`.
Grafana Configuration
You can configure Azure AD authentication client in Grafana using either the Grafana UI or the configuration file.
To configure via the Grafana UI, navigate to Administration > Authentication > Azure AD and fill in the form with your Azure AD OAuth2 client details. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values.
Alternatively, you can configure Azure AD authentication client using the Grafana configuration file. Ensure that you have access to the Grafana configuration file.
You can also enable Azure AD OAuth in Grafana by using environment variables to configure client_id and client_secret, which is available in Grafana v9.3 and later versions.
You might enjoy: Configure Hybrid Azure Ad Join
Roles for Grafana
Roles for Grafana are an essential part of configuring the application for seamless integration with Azure Active Directory (AAD). You can set up roles for Grafana in the Azure Portal or in the manifest file.
To set up roles in the Azure Portal, you'll need to go to App Registrations, search for your application, and click it. Then, click App roles and create a new app role for each Grafana role: Viewer, Editor, and Admin.
Take a look at this: Azure Ad Directory Roles
Alternatively, you can configure roles in the manifest file, which involves adding a Universally Unique Identifier (UUID) to each role. This requires replacing "SOME_UNIQUE_ID" with the generated ID in the manifest file.
Here's a brief overview of the roles you can configure for Grafana:
By default, Azure AD authentication will map users to organization roles based on the most privileged application role assigned to the user in Entra ID. If no application role is found, the user is assigned the role specified by the auto_assign_org_role option.
Recommended read: Azure Ad App
Client Using Grafana Configuration
To configure Azure AD authentication client using the Grafana configuration file, you'll need access to the Grafana configuration file.
You can also use environment variables to configure client_id and client_secret. This feature is available in Grafana v9.3 and later versions.
If you already have a configuration in the Grafana configuration file, it will be pre-populated in the form. Otherwise, the form will contain default values.
Readers also liked: Azure Ad Connect Export Configuration
Post-Sign-In Redirect Setup

To set up a post-sign-in redirect in Grafana, you'll need to provide a fully qualified URL in the post_login_redirect_uri query string parameter. This allows users to be returned to a specific page after signing in.
You can also redirect unauthenticated users back to the referring page after they sign in by creating a response override rule that sets post_login_redirect_uri to .referrer, like in the following example.
To add this redirect, create a response override rule that sets post_login_redirect_uri to .referrer, which will return the user to the page they were trying to access before being prompted to sign in.
Here's an example of how to set up a post-sign-in redirect:
By setting up a post-sign-in redirect, you can provide a seamless user experience and ensure that users are returned to the correct page after signing in.
Authentication Flow
To set up a seamless authentication experience for your users, you need to configure your user flow. This involves defining and controlling the user experience when users try to sign in to your app.
Take a look at this: Get Azure Ad User
Azure AD B2C requires you to create three separate user flows: a combined Sign in and sign up user flow, a Profile editing user flow, and a Password reset user flow.
Each user flow should be created separately, and Azure AD B2C will prepend "B2C_1_" to the user flow name. For example, a user flow named "susi" will become "B2C_1_susi".
Here are the three user flows you should create:
- A combined Sign in and sign up user flow, such as "susi", which also supports the Forgot your password experience.
- A Profile editing user flow, such as "edit_profile".
- A Password reset user flow, such as "reset_password".
After creating these user flows, Azure AD B2C will generate a token and redirect users back to your application once they complete the user flow.
Security and Permissions
To configure the required Graph API permissions, navigate to Microsoft Entra ID > Manage > App registrations and select your application. Select API permissions and then click on Add a permission. Select Microsoft Graph from the list of APIs and choose Delegated permissions. Under the GroupMember section, select GroupMember.Read.All.
To determine the role to assign to users for database access, you can use the Subject claim as the default option. However, you also have the option to use a non-standard claim, denoted as jwt_matching_claim_key, to map the user to database roles. This claim can be used to identify the end user and grant them the right access inside databases.
The claims included in the token and chosen for user authorization will vary depending on your requirements. For example, to use group memberships as the determining factor for access and role assignment, you would include the groups claim in the initial token sent to the database.
You might like: Azure Ad Graph Api
Required Graph API Permissions
To configure the required Graph API permissions, you'll need to navigate to Microsoft Entra ID > Manage > App registrations and select your application.
First, select API permissions and then click on Add a permission. This will allow you to add the necessary permissions for your application.
Next, select Microsoft Graph from the list of APIs. This is the API that will give your application access to the necessary data.
To read data from groups, you'll need to select Delegated permissions. This type of permission allows your application to act on behalf of the user.
Under the GroupMember section, select GroupMember.Read.All. This permission will allow your application to read data from all group members.
Click Add permissions to save your changes.
Claims and Roles
Claims are used to determine a user's role and access within a system. By default, Azure AD authentication uses the Subject claim to map users to organization roles based on the most privileged application role assigned to the user in Entra ID.
You can use a non-standard claim, such as jwt_matching_claim_key, to determine role assignment. This claim can map the user to the database roles based on the values of this claim.
The claims included in the token and chosen for user authorization will vary depending on your requirements. For example, to use group memberships as the determining factor for access and role assignment, you would include the groups claim in the initial token sent to the database.
The Subject claim can also be used to map the user to the PostgreSQL role. To configure group membership claims, you can add the groups claim to the token configuration either through the Azure Portal UI or by editing the manifest file.
Here are some common claims used for role assignment:
You can configure these claims in the Azure AD application registration, and they will be included in the token sent to the database. This allows you to grant users access to the database based on their role and group memberships.
Frequently Asked Questions
What method does Microsoft Azure app Service use to obtain credentials for users attempting to access an app?
Microsoft Azure App Service uses Azure Active Directory (AAD) authentication to verify user credentials. This secure method ensures seamless access to apps for authorized users.
Sources
- https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/
- https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-web-application-options
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app
- https://docs.yugabyte.com/preview/yugabyte-platform/security/authentication/oidc-authentication-aad/
Featured Images: pexels.com