1

An Azure Static Web App has a notion of auth that can be used to whitelist individual users, or individual identity providers (as in this question).

Is it possible to require authentication through the particular tenant/organizational directory used to set up the resource, through Azure configuration alone, as is currently possible with the ordinary Azure Web App Service; that is, require authentication through AAD as in the above linked question, but furthermore restrict access to members of the relevant tenant? If so, what might the corresponding routes.json look like?

See also this GitHub issue.

fuglede
  • 17,388
  • 2
  • 54
  • 99

2 Answers2

1

It looks like this is now possible using custom authentication:

Specifically for Azure Active Directory (AAD) registrations, you have the option of providing a tenant, which allows you to bypass the invitation flow for group management.

fuglede
  • 17,388
  • 2
  • 54
  • 99
0

Functionality defined in the routes.json file is now deprecated and better implemented in the Azure Static Web Apps configuration file.

https://learn.microsoft.com/en-us/azure/static-web-apps/routes#example-route-file

Example of Azure Static Web Apps configuration file.

https://learn.microsoft.com/en-us/azure/static-web-apps/configuration#example-configuration-file

To limit access to Azure Static Web App within single Tenant, add route into configuration-file

  {
      "route": "/login",
      "serve": "/.auth/login/aad"
    }

There is an Azure Function API contained within your Static Web App, the service inserts its own auth token into the header. If you are relying on the Authorization Bearer header to pass your token from app to api, it may be overwritten.

Authorisation using MSAL for a function in Azure Static Web App

Andriy Bilous
  • 2,337
  • 1
  • 5
  • 16
  • Thanks! What part of the configuration ensures that it's for the single tenant, as opposed to for _anyone_ using AAD? – fuglede Apr 23 '21 at 13:37
  • where msalConfig contains: ``` auth: { clientId: "", authority: "https://login.microsoftonline.com/" } ``` – Andriy Bilous Apr 23 '21 at 13:50
  • I'm confused; that one seems to be about protecting the API of a given Functions app, not the static assets themselves, right? – fuglede Apr 23 '21 at 19:09
  • Azure Static WebApp can be Azure Function with Static content https://learn.microsoft.com/en-us/azure/static-web-apps/overview – Andriy Bilous Apr 26 '21 at 11:56
  • 2
    We are working on the ability to lock down the built in auth to a single AAD tenant. Hoping to have this available within a couple months. – Anthony Chu Apr 29 '21 at 03:27
  • @AnthonyChu: And it looks like you did indeed manage to! – fuglede Jun 07 '21 at 12:27
  • @AnthonyChu Do you have any more docs on how to use the AzureAD. https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=aad#configuration shows some settings but what else is needed? Routes etc. I can't get it to work. – Krolken Jul 06 '21 at 15:07