When we connect to service fabric’s management endpoint, we will need to provide certificate information to pass authentication. However, we can also use Azure AD for authentication.
Here is our official documentation on how to use Azure AD to authenticate service fabric connection endpoint. It uses PowerShell script to create two applications in the Azure AD resource.
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-setup-aad
We can also do these steps manually with UI in Azure Portal.
Abstract at the beginning of the blog
The service fabric cluster here will be treated as an AAD web app. When users access it with browser, it will pop the sign in box and navigate back to the provided reply URL after authentication just like any web OAuth process.
When user access it with client tool like SF PowerShell module, the AAD client app here will sign in the user, then use the exposed API from AAD web app to validate if the user has the Admin role.
Application registration:
1) AAD web app
The first application we need to register in Azure AD is a web app, represents the cluster.
In authentication blade, we will configure like this:
Redirect URLs
Implicit grant and hybrid flows
- ID tokens (used for implicit and hybrid flows)
Supported account types:
- Accounts in this organization directory only (Single tenant)
Allow Public client flows:
- No
User Role assignment:
We need to create an Admin App-Role for the AAD web app.
In App roles blade, we create app role with below configurations.
Display name:
- Admin
Allowed member types:
- Users/Groups
Value
- Admin
Description:
- Admin role
Then we will go to Enterprise applications blade of Azure AD. Go to overview the page of the applications we created. In Getting started section, we will see “Assign users and groups.”
We will add a user as Admin so that user can access SF connection endpoint with Azure AD.
Expose API
We need to expose the authentication API of the web app so that the client app like PowerShell can use it to sign in the admin user.
Steps are done for the AAD web app here.
2) AAD client app
The second application we need to register in Azure AD is a Desktop/Native app, it represents tools like SF PowerShell module. (Connect-ServiceFabricCluster)
In the authentication blade, we will configure like this:
Redirect URLs
- https://login.microsoftonline.com/common/oauth2/nativeclient
- https://login.live.com/oauth20_desktop.srf
- msal29a2c311-3290-471b-a431-66f0d971a668://auth
- urn:ietf:wg:oauth:2.0:oob
Supported account types:
- Accounts in this organization directory only (Single tenant)
Allow Public client flows:
- Yes
Add API Permission
AAD client needs this config so it can call the API we just exposed on AAD web app.
Add a permission => My APIs => your cluster web app => user_impersonation
Steps are done for the AAD client app here.
Add client app to web app's authorized client applications list
Go to **AAD web app** we created in the first place
Expose an API => Authorized client applications
We will add the client app's cliend Id to the web app. And choose to expose the scope we created in the first place.
This section is updated on December 7th 2021. If we don't add the client app to web app's authorized list, when we use Connect-ServiceFabricCluster with Powershell, it will prompt "Need Admin Consent" window.
Add the above AAD config to the service fabric cluster
In Security blade of service fabric cluster, we will add a security setting. Fill in the application ID of the two AAD apps we just created.
Done
Now you should be able to use AAD to connect service fabric cluster. And the browser will not prompt the certificate list for SFX.
If the process does not go as smoothly as expected, there is a troubleshooting section in the doc.
You can also read the PowerShell script provided in our official documentation to understand what has been done. This is a steps-by-steps guide for users who prefer Azure Portal.
Microsoft
