Merge pull request #17 from sebassem/main

Updating webapp authentication

.github/workflows/deployAzGovVizAccelerator.yml

@@ -2,7 +2,10 @@ name: DeployAzGovVizAccelerator
 
 on:
   workflow_dispatch:
-
+    inputs:
+      authorizedGroupId:
+        description: 'Authorized Group object Id to access the AzGovViz webapp'
+        required: true
 jobs:
   AzureGovernanceVisualizer:
     runs-on: ubuntu-latest
@@ -32,6 +35,6 @@ jobs:
           subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
           resourceGroupName: ${{vars.RESOURCE_GROUP_NAME}}
           template: ./bicep/webApp.bicep
-          parameters: ./bicep/webApp.parameters.json webAppName=${{vars.WEB_APP_NAME}} managementGroupId=${{secrets.MANAGEMENT_GROUP_ID}} clientId=${{ secrets.ENTRA_CLIENT_ID }} clientSecret=${{ secrets.ENTRA_CLIENT_SECRET }}
+          parameters: ./bicep/webApp.parameters.json webAppName=${{vars.WEB_APP_NAME}} managementGroupId=${{secrets.MANAGEMENT_GROUP_ID}} clientId=${{ secrets.ENTRA_CLIENT_ID }} clientSecret=${{ secrets.ENTRA_CLIENT_SECRET }} authorizedGroupId=${{github.event.inputs.AuthorizedGroupId}}
           failOnStdErr: false
 

README.md

@@ -258,20 +258,24 @@ New-AzRoleAssignment `
 1. Create an [app registration](https://learn.microsoft.com/entra/identity-platform/quickstart-register-app#register-an-application) in Microsoft Entra ID for your Azure App Web App.
 
    In the Redirect URIs section, select Web for platform and type the URI in the following format: "https://<webapp_name>.azurewebsites.net/.auth/login/aad/callback"
-1. Click on _Authentication_ and under _Implicit grant and hybrid flows_, enable ID tokens to allow OpenID Connect user sign-ins from App Service. Select Save.
+2. Click on _Authentication_ and under _Implicit grant and hybrid flows_, enable ID tokens to allow OpenID Connect user sign-ins from App Service. Select Save.
 
    ![Screenshot showing enabling Open ID in app registration](./media/app_registration_openID.png)
 
-1. From the left navigation, select Expose an API > Add > Save.
+3. From the left navigation, select Expose an API > Add > Save.
 
    ![Screenshot showing exposing an API](./media/app_registration_expose_api.png)
 
    ![Screenshot showing exposing an API](./media/app_registration_expose_api_add.png)
 
-1. Click on _Add a scope_ and provide the values as the screenshot.
+4. Click on _Add a scope_ and provide the values as the screenshot.
 
    ![Screenshot showing adding a scope to the API](./media/app_registration_expose_api_addScope.png)
 
+5. From the left navigation, select Manifest and set "groupMembershipClaims" to "SecurityGroup".
+
+   ![Screenshot showing adding a scope to the API](./media/app_registration_groupsClaim.png)
+
 **:keyboard: Use PowerShell:**
 
 ```powershell
@@ -312,6 +316,7 @@ $body = @"
   "identifierUris" : [
     "api://$webAppSPAppId"
   ],
+  "groupMembershipClaims" : "SecurityGroup",
   "api": {
     "oauth2PermissionScopes": [
       {
@@ -423,9 +428,9 @@ gh api -X PUT /repos/$GitHubOrg/$GitHubRepository/actions/permissions/workflow -
 
    ![Screenshot showing the GitHub actions pane](./media/actions_pane.png)
 
-1. Run the _DeployAzGovVizAccelerator_ workflow to initialize the accelerator, deploy the Azure Web App and configure Microsoft Entra authentication for it.
+2. Run the _DeployAzGovVizAccelerator_ workflow to initialize the accelerator, deploy the Azure Web App and configure Microsoft Entra authentication for it. By default, the web app is accessible to any authenticated user in the current tenant. To limit access to certain users, provide the ObjectId of an Entra ID group.
 
-   ![Screenshot showing deploying the DeployAzGovVizAccelerator workflow](./media/run_deploy_accelerator_action.png)
+   ![Screenshot showing deploying the DeployAzGovVizAccelerator workflow](./media/run_deploy_accelerator_action_input.png)
 
    ![Screenshot showing the DeployAzGovVizAccelerator workflow executing](./media/deploy_accelerator_action_running.png)
 
@@ -445,7 +450,7 @@ gh api -X PUT /repos/$GitHubOrg/$GitHubRepository/actions/permissions/workflow -
 
    ![Screenshot showing editing the AzGovViz parameters](./media/adding_noPIM_parameter.png)
 
-1. Then, run the _DeployAzGovViz_ workflow to deploy AzGovViz and publish it to the Azure Web App
+3. Then, run the _DeployAzGovViz_ workflow to deploy AzGovViz and publish it to the Azure Web App
 
    ![Screenshot showing deploying AzGovViz](./media/deploy_AzGovViz_workflow.png)
 

bicep/webApp.bicep

@@ -33,6 +33,9 @@ param clientSecret string
 @description('The AzGovViz management group ID')
 param managementGroupId string
 
+@description('The authorized groups IDs to access the web app')
+param authorizedGroupId string
+
 resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
   name: appServicePlanName
   location: location
@@ -42,7 +45,7 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
   kind: kind
 }
 
-resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+resource webApp 'Microsoft.Web/sites@2023-01-01' = {
   name: webAppName
   location: location
   properties: {
@@ -70,6 +73,11 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
         redirectToProvider: 'azureActiveDirectory'
         unauthenticatedClientAction: 'RedirectToLoginPage'
       }
+      login: {
+        tokenStore: {
+          enabled: true
+        }
+      }
       identityProviders: {
         azureActiveDirectory: {
           enabled: true
@@ -78,6 +86,20 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
             clientId: clientId
             clientSecretSettingName: 'AzureAdClientSecret'
           }
+          validation: {
+            jwtClaimChecks: {
+              allowedGroups: [
+                authorizedGroupId
+              ]
+            }
+            defaultAuthorizationPolicy: {
+              allowedPrincipals: {
+                groups: [
+                  authorizedGroupId
+                ]
+              }
+            }
+          }
         }
       }
     }
@@ -87,6 +109,7 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
     name: 'appsettings'
     properties: {
       AzureAdClientSecret: clientSecret
+      WEBSITE_AUTH_AAD_ALLOWED_TENANTS: tenantId
     }
   }