ARM Template Web App Authentication Settings not working

问题

I am working on setting up my site authentication settings to use the AAD provider. Most of the template is respected. However, the unauthenticatedClientAction and allowedAudiences is not being properly assigned. I observe 'allow anonymous' and no 'allowed audiences' being assigned.

Here is my template segment for these settings. It is nested under resources in my website template.

root > Microsoft.Web/Site > Resources

{
    "type": "config",
    "name": "web",
    "apiVersion": "2016-08-01",
    "location": "[parameters('app-location')]",
    "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
    ],
    "properties": {
        "siteAuthEnabled": true,
        "siteAuthSettings": {
            "enabled": true,
            "unauthenticatedClientAction": "RedirectToLoginPage",
            "tokenStoreEnabled": true,
            "defaultProvider": "AzureActiveDirectory",
            "clientId": "[parameters('web-aad-client-id')]",
            "issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
            "allowedAudiences": [
                "[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
            ]
        }
    }
}

Template Validates
Deployment does not output any errors

Issues:

unauthenticatedClientAction is assigned allow anonymous not RedirectToLoginPage
allowedAudiences is not assigned any sites

What could be causing these issues? What could I have missed?

回答1:

I got my answer after working with the fine people at Azure Support.

Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.

This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.

The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.

Updated ARM Template (removed other settings for brevity)

{
    "name": "[variables('app-service-name')]",
    "type": "Microsoft.Web/sites",
    "location": "[parameters('app-location')]",
    "apiVersion": "2016-08-01",
    "dependsOn": [
        "[variables('app-plan-name')]"
    ],
    "properties": {
        //... other app service settings
        "siteAuthSettings": {
            "enabled": true,
            "unauthenticatedClientAction": "RedirectToLoginPage",
            "tokenStoreEnabled": true,
            "defaultProvider": "AzureActiveDirectory",
            "clientId": "[parameters('web-aad-client-id')]",
            "issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
            "allowedAudiences": [
                "[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
            ]
        }
    }
}

来源：https://stackoverflow.com/questions/54411480/arm-template-web-app-authentication-settings-not-working

标签

azure-active-directory

azure-web-sites

azure-resource-manager