POC 1: Internal AD User should be able to login to an Azure Web App Using their Azure AD Credentials
a. Objective of the POC
b. Prerequisites
c. Deployment Steps
d. Demo Scenarios - Global admin deploys web application
e. Clear Deployment
NBME user should be able to login to an Azure Web App Using their Azure AD Credentials
- Download and install Git to use git as source version control.
- Azure tenant id and tenant domain name
- Azure subscription
- Global admin username and password
- It allows only work id - AD accounts. Id should be global admin of Azure Active Directory and Owner of subscription. (Global AD user should be granted Owner access to the Azure Subscription. Left Navigation Bar-> Subscriptions -> Select subscription -> Access Control (IAM) -> + Add )
If you are running from Azure CloudShell
cd $HOME\Downloads
- Clone the develop branch of identity-pocs repository using following command.
git clone -b develop https://github.com/AvyanConsultingCorp/identity-pocs
- Go to deployment folder "identity-pocs\Deployment" in file explorer. Click on File Menu and select option "open windows powershell as administrator"
- Follow the below sequence and use the command given underneath to demonstrate scenarios.
- Run the following command to install required modules .
cd .\identity-pocs\Deployment\
.\ScenarioTwo.ps1 -installModules
- Run the following command specific to your environment.
.\ScenarioOne.ps1 -deploymentPrefix 'prefix' `
-globalAdminUsername '{global admin username to access tenant domain}' `
-tenantId '{active directory tenant id}' `
-subscriptionId '{subscription id}' `
-tenantDomain '{tenant domain name}' `
-deploymentPassword '{alphanumeric password}' `
-location 'eastus' `
The above script will do the following
- Install relevant powershell modules
- Prompt for the global AD administrator password, required to create test users for the application testing
- Resource groups deployed are
- < prefix>-artifacts-rg
- < prefix>-workload-rg
- You will find list of created users at following location
"identity-pocs\Deployment\output\users.txt" in file explorer.
- In azure portal navigate to Azure Active Directory->App registration-> Identity Web Application->Required Permissions and click on Grant Permission and click on Yes to provide admin consent to read sign in user profile.
1.1 Verify application is working :
- In azure portal navigate to the -workload-rg-->< prefix>-identity-webapp --> and click on URL field as as shown below. It will navigate to Microsoft login page. Enter credentials of created user from 'users.txt' and you will see following UI with signed in user details
1.2 Sign Out : Click on Sign out and you will be successfully signed out and application will again redirected to Microsoft sign in page
2.1 User is not added to Azure active directory : Go to {prefix}-identity-webapp and browse endpoint url. you will see Microsoft login page. Enter credentials of user which is not added in active directory.
-
You should see error message.
2.2 User is disabled in active directory : Go to {prefix}-identity-webapp and browse endpoint url. you will see Microsoft login page. Enter credentials of disabled user from user.txt.
- You should see error message i.e. "Your account has been locked.Contact your support person to unlock it,then try again"
Note : Do not execute clear deployment of POC 1 and install deployment of POC 2 in parallel as clear deployment will remove created AD users.
Run following command to clear all the resources deployed during the demo.
.\ScenarioOne.ps1 -deploymentPrefix 'prefix' `
-globalAdminUsername '{global admin username to access tenant domain}' `
-tenantId '{active directory tenant id}' `
-subscriptionId '{subscription id}' `
-tenantDomain '{tenant domain name}' `
-clearDeployment
Verification steps -
- Login to Azure Portal / Subscription
- Check if all the ResourceGroup with deploymentPrefix is cleared.