azure - Allow/Deny users using web.config in Azure app service
问题描述
I have got an app service with 3 virtual paths shown below.
Virtual path Physical path Type
/ site\wwwroot Application
/app2 site\wwwroot\app2 Application
/app3 site\wwwroot\app3 Application
How can I use web.config to control access to my site using Azure Security Groups? I've got 3 security groups and I want to allow access as below.
Allow sg1
to have access to my root /
.
Allow sg2
to to have access to my root & /app2
.
Allow sg3
to to have access to my root & /app3
.
In my on-prem IIS box i was able to do something like below to control access.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="app2">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="app3">
<system.web>
<authorization>
<allow roles="Global\sg1"/>
<allow roles="Global\sg3"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can I replicate this in Azure app services?
I tried a simple base case, as per below. I can go to my /
fine as it has no restrictions but I get the error The page cannot be displayed because an internal server error has occurred.
, when browsing to /app2
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="app2">
<system.web>
<customErrors mode="Off"/>
<authentication mode="Windows"/>
<authorization>
<allow roles="GLOBAL\sg1"/>
<allow roles="GLOBAL\sg2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Please help :(
解决方案
Can I replicate this in Azure app services?
No, you cannot since what you describe is Active Directory behavior. App Services do not integrate with AD.
Next best thing would be Azure AD authentication, but this will require code changes and look quite different in the end: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad