Set up Easy Auth with Microsoft Azure Entra ID

Posted byLaszlo Pinter Leave a comment on Set up Easy Auth with Microsoft Azure Entra ID

The Microsoft Azure Entra ID provides federated authentication and authorization services for applications running in the Azure Cloud. Easy Auth enables application to use Single Sign On (SSO) services transparent to the user to detect the identity of the user of the application. To set up Easy Auth

Register the application

  • On the main page select the Microsoft Entra ID icon
  • Click the Add item in the header and select App Registration
  • Enter the display name of the application. If the application does not use Azure Entra as the authentication provider, leave the Redirect URI empty and click the Register button

Set the permissions

Make sure the Microsoft Graph User.Read permission is enabled

  • On the left side open the Manage menu and select API permissions
  • Make sure the Microsoft Graph User.Read permission is enabled
  • If the Microsoft Graph User.Read permission is not enabled
    • Click the Add a permission option
    • Select the Microsoft Graph option
    • Select Delegated permissions
    • In the User section enable User.Read permission
    • Click the Add permission button at the bottom of the page
  • Click the Grant admin-consent for … button
  • Click the Yes button
  • The status should be Granted for …

Use the Easy Auth feature in your application

Configure your Azure Container Apps application to use Easy Auth

  • Copy the Application (client) ID and Directory (tenant) ID from the Overview page

In the Azure Container Apps deployment script update the application to use the Easy Auth feature with the authTenantId and authClientId values extracted above:

# Entra ID issuer URL for built-in authentication (Easy Auth)
authIssuer="https://login.microsoftonline.com/${authTenantId}/v2.0"            

# Enable Entra ID (Azure AD) built-in authentication (Easy Auth)
            # This injects the X-MS-CLIENT-PRINCIPAL-NAME header with the user's UPN on every authenticated request.
            echo "Configuring Entra ID authentication..."
            az containerapp auth microsoft update \
                --name $applicationName \
                --resource-group $resourceGroupName \
                --client-id $authClientId \
                --issuer $authIssuer \
                --yes

Extract the user information in the application

In the loader() function of the React Router 7 (Remix) web application read the “x-ms-client-principal-name” header value. It will contain the email address of the user.

export async function loader({ request }: Route.LoaderArgs) {
  let userName = "";

  // 1. Check for Azure AD / Entra ID auth header (production)
  const principalName = request.headers.get("x-ms-client-principal-name");
}

Leave a comment

Your email address will not be published. Required fields are marked *