Enabling Entra Authentication

By Rob Litjens

Now that we have DataAPIBuilder, a SQLServer in the Cloud and a web application that should be able to use Restfull API’s it is time to setup some authentication. I am not a fan of SQL Logins. Never bin and will never be. I want Azure Authentication uhh.. Entra Authentication as it is called nowadays.

Making an app usefull for EntraID there are some requirements:

  1. You need to have a tenant. I do have one
  2. You need to setup a Server App registration
  3. You need to configure the Server App registration
  4. You need to assign roles to your account…

Microsoft has enlisted these also on their pages DataAPIBuilder with AzureAD authentication on how to do this but I will use the Entra thingies now.

App Registration

This part is straight forward. You should go to Entra

Server App Registration

After this the detail page of an App Registration opens. This is a page showing “Data API Builder” as a header. Under Manage you will find “Expose an API”.

Expose this API

The MS documentation shows you need to click Set, but on the new pages in Entra this is called “Add”:

Add instead of SET

On the right hand side a page is slided in in which you can only press Save. You should do this.

The next action is to create a scope.

The Server App Registration is simple:

App Registration Scope

After you have done the registration, you need to an application role to the App registration. You can do this by Clicking on app roles and fill it in as shown:

App Roles

When you have filled in these details you should click on “Manifest” (last option in Manage on the left side menu). On opening you should change the value “accessTokenAcceptedVersion” to 2 in the shown JSON. Don’t forget Save here… See below picture for more info:

accessTokenAcceptedVersion = 2

Assigning roles to your application

Now we are entering the Enterprise side :) of our application. We need to assign roles to it. Therefore in Entra go to Enterprise applications, pick your just created role (Data API Builder in my case) and select “Assign Users and groups”

Assign Users and Groups

Select Add user/group from the top. A new screen is opened. This screen looks a bit strange, but that is because there will be some Flying Windows (as powerpoint calls them) appearing.

Empty Windows, not much more than this.. for now

If you click on Users and groups, Entra will show you the users of your tenant. I have selected my account (because I know it has access to the database) and the default access should be setup.

How to get an authentication Token

To get the token you need to run a few Powershell commands

az login
# a browser page is opened that asks you to login
# The output will give you your "tenantID" which is a guid. It is not the one shown in the json
# You will need to login to that tenant again, it will force MFA btw

az login --tenant <this-should-be-your-tenantid>

az account set --tenant <this-should-be-your-tenantid>
az login --scope api://<PFFapiexp-blah-boeh-baba-bebebebebe>/Endpoint.Access

# this requires you to consent via a webbrowser

az account Get-Access-token --scope api://<PFFapiexp-blah-boeh-baba-bebebebebe>/Endpoint.Access
# This should give you a bearer token back which looks like:
#{
#  "accessToken": "ey-LONG STRING OF ALL KINDS OF CHARACTERS",
#  "expiresOn": "2023-10-31 19:25:21.000000",
#  "subscription": "<your subscription>",
#  "tenant": "Your Tenant",
#  "tokenType": "Bearer"
#}

If you go back to Expose an API (under app registrations in Entra), you would see this

overview Expose an API

After this, you need to update the Data API configuration by replacing:

"authentication":{
      "provider": "StaticWebApps"

with

"authentication": {
  "provider": "AzureAD",
  "jwt": {
    "audience": "<APP_ID>",
    "issuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0"
  }
}

conclusion

It took a while before i found out that more is done already and that Entra is a bit different compared to AzureAD, on which all documents are. I am not far enough to also conclude that I can embed data in my Hugo site using AAD authentication. Hugo is a bit strange on this, but you can do various types of authentication.

My next step will be to create json sample and a template for Hugo. Also I will then try to connect Hugo to my database by a DAB call. I am not fully sure that I can do that with AAD authentication, but my db is setup for both types (integrated and SQL logins).

Hope to see you reading my next blog also.