Configuring Managed Identity Accounts to run Web Apps and other resources

Azure has the capability of generating Managed Identity accounts that can be used to essentially run the "app pool" of your Web Apps. There are many benefits to using a Managed Identity account, such as:

  • Improved security- eliminate the need to store passwords in app code. Managed Identity passwords also automatically recycle credentials
  • Simplified management- Managed Identities can be used for several services, and only one place required to manage them. No need to manage them in specific role assignments

Each of the Aptify web applications can be run using a Managed Identity. This document outlines how to set each step up.

 

Creating the Managed Identity Account in Azure

Search Azure for the Managed Identity service and select it.

Create a new Managed Identity, in your desired Subscription, Resource Group, and Region. ?You can name it however you'd like, we recommend something descriptive. Click Review and Create.

 

 

When it's created, navigate to the resource. Make sure to copy the Client ID values to a notepad.

You'll also need to record your Tenant ID values. There's several ways to find this, but if you search Azure's main search for "Tenant Properties" you will find it on that page. Copy the Tenant ID to the same notepad.

 

Now we need to create this Managed Identity in Aptify. The third and final step will be to updating Azure to use this account to run these websites.

 

Creating the Managed Identity Account in Aptify

Open up the Aptify client connected to your SQL MI, and create a new User account. You should select Azure Active Directory Security, and enter any valid username- it will be changed later. 

Continue through the User Assignment Wizard and assign it the required licenses (End User, etc) On Step 6, enter Managed Identity as the user name and it is recommended to use the "Copy an existing user's profile) to copy the profile from an existing Ebiz or Aptify Web app pool user- that will automatically add this user to the required groups.

At the very least, Managed Identity accounts running Aptify Web will need to be in the Basic, Users, Administrators, and AptifySOAAppPool groups. The same is true for E-Business, except it needs the EBusinessSOAAppPool groups. WebJob users will require the Application Server permissions. 

Add an employee record to this user on the final step, and click finish to save.

 

Open up SSMS and connect to your SQL MI instance. Open a query against the master table, and execute this statement, replacing the username with that of your Managed Identity user.

CREATE LOGIN [AptifyAWManagedIdentity] From External Provider

Next, open a query against the APTIFY database and execute this, replacing your ClientID and TenantID with the items you noted previously.

UPDATE users SET UserID = '(ClientID@TenantID)' WHERE ID = (ID of newly created Azure AD user from the last step)

An example of this query would be:

UPDATE users SET UserID = '(f5913342132-98234-4bde-ae73-df386a123c6@723465523-c623-45118-b638-759206645)' WHERE ID = 743

 

 

Configuring Azure Web Apps to use Managed Identity

Now that we have the account setup, we need to set our apps to use it. You can have the same or different Managed Identity apps for Aptify Web and Ebusiness. Navigate to your Web App, and select the Identity tab under the Settings section. Click on the User Assigned tab.

 

Click Add, find your new Managed Identity, and select Add. Now your Web App is using it to run the site.

Lastly, we need to update the web.config to use the managed identity to run SOA. There are a few ways to modify the web.config, via deployment, FTP, Kudu, but we've found the easiest is using the App Service Editor. Click it under Development Tools and then select Open Editor:

 

For Aptify Web:

In the Editor, for Aptify Web navigate to the AptifyServicesAPI/web.config file. For Ebusiness 6/7, you'll navigate to the SOA/web.config file. In both files, you'll apply two changes. The first is updating the below key. Put the Managed Identity clientID in as the value here.

<add key="Aptify.Services.Authentication.AzureAD.ManagedIdentityClientID" value =""/>

If it's commented out, remove the <!-- before the key and the --> afterwords.

If you have values under these 3 keys, you can leave the SQLLogin as is as long as the password is blank and the Trusted key is set to true. 

<add key="Aptify.Framework.LoginServices.AptifyLogin.Trusted" value="True" />
<add key="Aptify.Framework.LoginServices.AptifyLogin.SQLLogin" value="AptifySA" />
<add key="Aptify.Framework.LoginServices.AptifyLogin.Password" value="" />

 

That's it. Save the web.config, restart your Web App(s), and it should now be running under your Managed Identity.

 

There are a number of ways to verify if you would like to. If you check published exceptions, the Windows identity (for AW/Ebiz exceptions) should be your new Managed Identity. You can also run checks like sp_who2 or sp_Whoisactive in SSMS while Aptify Web is in use.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.