Unable to sign in when using existing app registration for authentication

[captainhook]

Tool version
4.2.1

Describe the bug
In setting up authentication for the App Service, I would like to re-use an existing App Registration rather than create a new one. However when I do this, it shows a 'We couldn't sign you in. Please try again.' error message.

To Reproduce
Steps to reproduce the behavior:

1. Go to App Service > Authentication >
2. Click on 'Add identity provider'
3. Select Microsoft
4. App registration type: Pick an existing app registration in this directory
5. Select the App Registration
6. Click 'Add'
7. Wait ~5mins
8. Visit the App's URL

Expected behavior
It should login and make Az Naming Tool available for use.

Screenshots

Installation Method
Azure App Service deployed using Terraform. Azure Naming Tool built and deployed using Azure DevOps CI/CD pipelines.

Additional context
When using the 'Create new app registration' option, it appears to work fine. If I disconnect from this app and then try to manually reconnect, it starts to fail again.

I have added the Redirect URI (https://app-appname-001.azurewebsites.net/.auth/login/aad/callback) and API scope on the App Registration so I can't see what I'm missing from the existing App Reg or why it stops working on the one which the App Service creates itself.

[BryanSoltis]

There are no specific aspects of the Azure Naming Tool in regards to Azure App Service authentication. The challenge you experiencing is due to your registration not being configured correctly for the App Service.

https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration#advanced

I usually recommend clients create a new app registration, however, an existing one works too. You just have to be sure to set all the correct settings in the registration itself. As a starting point, I would create the app registration and review all the registration settings it creates, then duplicate those within the existing registration you would like to use.

Hope this helps!

• Bryan

[Rod-Welsh]

Have experienced this same issue, webapp deployed via tf and gitlab runner using webapp deploy cli cmd.
Without Authentication App works fine, Enable Auth and we experience issues with the app and even redoing a new app registration. Our's is also priv end pointed so does DNS name resolution become an issue within the app. Noticing sign in logs are 3-4 successful logins.

[captainhook]

@Rod-Welsh did you manage to resolve this?

[Rod-Welsh]

@captainhook - Eventually yes we managed to get it working.

[captainhook]

@captainhook - Eventually yes we managed to get it working.

Would you mind sharing what you did to resolve it? Thanks

[ebbypeter]

@Rod-Welsh Could you share how you managed to get it working? I am planning to deploy this tool in my organization.

[Rod-Welsh]

Hi @captainhook and @ebbypeter - apologies about the slow return.
The root cause I found was allowing the app registration to get the audience token from management azure - Missing allowed token audience –“ [https://management.azure.com”].
I have attached the document that was provided to me via Microsoft.
https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-apply-easy-auth-on-web-app-under-a-high-security-policy-environment/4139404

[captainhook]

Hi @captainhook and @ebbypeter - apologies about the slow return.
The root cause I found was allowing the app registration to get the audience token from management azure - Missing allowed token audience –“ [https://management.azure.com”].
I have attached the document that was provided to me via Microsoft.
https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-apply-easy-auth-on-web-app-under-a-high-security-policy-environment/4139404

Legend - thank you! I will give this a try and then confirm/close this issue.