时间戳

首页 > 解决方案 > Allow/Deny users using web.config in Azure app service

azure - Allow/Deny users using web.config in Azure app service

问题描述

I have got an app service with 3 virtual paths shown below.

Virtual path                 Physical path            Type
/                            site\wwwroot             Application
/app2                        site\wwwroot\app2        Application
/app3                        site\wwwroot\app3        Application

How can I use web.config to control access to my site using Azure Security Groups? I've got 3 security groups and I want to allow access as below.

Allow sg1 to have access to my root /.

Allow sg2 to to have access to my root & /app2.

Allow sg3 to to have access to my root & /app3.

In my on-prem IIS box i was able to do something like below to control access.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <customErrors mode="Off"/>
        <authentication mode="Windows"/>
        <authorization>
            <allow roles="GLOBAL\sg1"/>
            <deny users="*"/>
        </authorization>
    </system.web>
    <location path="app2">
        <system.web>
            <authorization>
                <allow roles="Global\sg1"/>
                <allow roles="Global\sg2"/>
                <deny users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="app3">
        <system.web>
            <authorization>
                <allow roles="Global\sg1"/>
                <allow roles="Global\sg3"/>
                <deny users="*"/>
            </authorization>
        </system.web>
    </location>

</configuration>

Can I replicate this in Azure app services?

I tried a simple base case, as per below. I can go to my / fine as it has no restrictions but I get the error The page cannot be displayed because an internal server error has occurred., when browsing to /app2

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <location path="app2">
        <system.web>
            <customErrors mode="Off"/>
            <authentication mode="Windows"/>
            <authorization>
                <allow roles="GLOBAL\sg1"/>
                <allow roles="GLOBAL\sg2"/>
                <deny users="*"/>
            </authorization>
        </system.web>
    </location>
</configuration>

Please help :(

标签: azureazure-active-directoryweb-configazure-web-app-service

解决方案

Can I replicate this in Azure app services?

No, you cannot since what you describe is Active Directory behavior. App Services do not integrate with AD.

Next best thing would be Azure AD authentication, but this will require code changes and look quite different in the end: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

推荐阅读