Forum Discussion

shamprasad_RH's avatar
shamprasad_RH
Copper Contributor
Mar 08, 2018

Azure App proxy authentication issue

Hi,   We have a on premise app published on Azure and when I try to access the to the app API's I always get below error. User already have the access to App proxy and the app behind the proxy. ...
Apps
Berend Engelbrecht's avatar
Berend Engelbrecht
Copper Contributor
May 31, 2018

I had the same problem with proxy app registrations, in our own domain and in a customer domain. The 401 error already occurs when acquiring a token, before trying to read or write any data.

I found a solution, hinted by a remark in this StackOverflow answer:
https://stackoverflow.com/questions/34318059/401-error-when-authenticating-to-an-azure-api-app-using-aad
Your problem have something to do with the valid audiences.


The problem is that the "audience" of a proxy app is not in the active directory domain, but in msappproxy.net. Hence, it fails the audience check and a 401 eror is raised when attempting to get an access token relating to the AD domain.

 

My solution: create a second app registration for API access. In my case, the API part of the software just needed to read directory groups and member lists, that is possible independent from whoever is logged in through the web user interface if Microsoft graph is used.

 

When creating the second app, I use any name and a random Sign-on URL in my AD domain:

 

 

 

 

A second inclarity in the Azure Portal user interface is in granting the API application access.
When you go to Settings > Required permissions, you add some categories and click Save. However, the permissions are not effective until you also clicked "Grant access" on top of the main "Required permissions" panel. As it is counter-intuitive that you have to click in two different places to save one setting, that is often overlooked by admins configuring our web API.

Resources