Azure AD Authentication for app service is not working

[muk-shobhit]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.0

AzureRM Provider Version

3.47.0

Affected Resource(s)/Data Source(s)

auth_settings_v2

Terraform Configuration Files

dynamic "auth_settings_v2" {
    for_each = var.enable_auth ? [var.enable_auth] : []
    content {
      auth_enabled = var.enable_auth
      default_provider ="azureactivedirectory"
      unauthenticated_action="RedirectToLoginPage"
      login {
        token_store_enabled = true
      }
      active_directory_v2 {
        client_id                  = var.app_client_id
        client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
        tenant_auth_endpoint       = "https://sts.windows.net/<tenentid>/v2.0"
      }
    }
  }
}

Debug Output/Panic Output

NA

Expected Behaviour

Authentication should work as usual

Actual Behaviour

Authentication is not working. We get "Internal server error"

Steps to Reproduce

Using below implement the Authentication to a web app

dynamic "auth_settings_v2" {
    for_each = var.enable_auth ? [var.enable_auth] : []
    content {
      auth_enabled = var.enable_auth
      default_provider ="azureactivedirectory"
      unauthenticated_action="RedirectToLoginPage"
      login {
        token_store_enabled = true
      }
      active_directory_v2 {
        client_id                  = var.app_client_id
        client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
        tenant_auth_endpoint       = "https://sts.windows.net/<tenentid>/v2.0"

      }
    }
  }

Important Factoids

No

References

No response

[muk-shobhit]

During troubleshooting, we noticed that allowedGroup node is added in jwtClaimChecks, which is the actual cause of this issue. The application starts working by removing this property (with the help of resource explorer).

"validation": {
"jwtClaimChecks": {
"allowedGroups": [],
"allowedClientApplications": []
},
"allowedAudiences": [],
"defaultAuthorizationPolicy": {
"allowedPrincipals": {}
}
}

[epomatti]

@muk-shobhit I think I'm having a similar issue as my configuration looks exactly as you posted, however your workaround didn't work for me.

I too get HTTP 500 Internal Server Error after the user login and when the browser is redirected to the <app_url>/.auth/login/aad/callback endpoint.

I'll share below what I've tried so far and will post here in this thread any updates.

---

I downloaded the authsettingsV2 config using this command (couldn't find how using Resource Explorer):

az rest --uri /subscriptions/<SUBSCRIPTION>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_SERVICE>/config/authsettingsV2?api-version=2022-03-01 --method get > auth.json

Then I removed the "allowedGroups": [] property from the JSON.

Finally, I uploaded the new configuration:

az rest --uri /subscriptions/<SUBSCRIPTION>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_SERVICE>/config/authsettingsV2?api-version=2022-03-01 --method put --body @auth.json

I checked the API again and was able to confirm that the validation section looks like this now, but still the authentication won't work (tried restarting the app just for sanity check).

"validation": {
  "allowedAudiences": [
    "api://myprivateapp9b346f24ae5eb3e0"
  ],
  "defaultAuthorizationPolicy": {
    "allowedApplications": [],
    "allowedPrincipals": {
      "groups": [],
      "identities": []
    }
  },
  "jwtClaimChecks": {
    "allowedClientApplications": []
  }
}

[epomatti]

I was able to solve my issue as well, and I'll explain how.

1. Created my webapp using Terraform (with authentication enabled)
2. Created a webapp and added authentication using the Portal

I then downloaded both of the authsettingsV2 config, one from each webapp, and compared the differences.

az rest --uri /subscriptions/<SUBSCRIPTION>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_SERVICE>/config/authsettingsV2?api-version=2022-03-01 --method get > auth.json

After comparing the Portal webapp with my Terraform webapp, I noticed a few differences and removed the following fields which are being added when using the Terraform Azurerm provider:

"excludedPaths": []
"loginParameters": []
"clientSecretCertificateThumbprint": ""
"allowedApplications": []
"groups": []
"identities": []
"allowedClientApplications": []
"allowedExternalRedirectUrls": []

Updated the edited Terraform webapp JSON:

az rest --uri /subscriptions/<SUBSCRIPTION>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_SERVICE>/config/authsettingsV2?api-version=2022-03-01 --method put --body @auth_terraform.json

After that, my authentication worked as expected.

[github-actions]

This functionality has been released in v3.49.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.