%3CLINGO-SUB%20id%3D%22lingo-sub-2109183%22%20slang%3D%22en-US%22%3EUse%20Azure%20Portal%20to%20enable%20AAD%20authentication%20for%20Service%20Fabric%20management%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109183%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%224%22%3EWhen%20we%20connect%20to%20service%20fabric%E2%80%99s%20management%20endpoint%2C%20we%20will%20need%20to%20provide%20certificate%20information%20to%20pass%20authentication.%20However%2C%20we%20can%20also%20use%20Azure%20AD%20for%20authentication.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EHere%20is%20our%20official%20documentation%20on%20how%20to%20use%20Azure%20AD%20to%20authenticate%20service%20fabric%20connection%20endpoint.%20It%20uses%20%3CSTRONG%3EPowershell%3C%2FSTRONG%3E%20script%20to%20create%20two%20applications%20in%20the%20Azure%20AD%20resource.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fservice-fabric%2Fservice-fabric-cluster-creation-setup-aad%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fservice-fabric%2Fservice-fabric-cluster-creation-setup-aad%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20can%20also%20do%20these%20steps%20manually%20with%20UI%20in%20Azure%20Portal.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EAbstract%20at%20the%20beginning%20of%20the%20blog%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EThe%20service%20fabric%20cluster%20here%20will%20be%20treated%20as%20an%20AAD%20web%20app.%20When%20users%20access%20it%20with%20browser%2C%20it%20will%20pop%20the%20sign%20in%20box%20and%20navigate%20back%20to%20the%20provided%20reply%20URL%20after%20authentication%20just%20like%20any%20web%20OAuth%20process.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWhen%20user%20access%20it%20with%20client%20tool%20like%20SF%20Powershell%20module%2C%20the%20AAD%20client%20app%20here%20will%20sign%20in%20the%20user%2C%20then%20use%20the%20exposed%20API%20from%20AAD%20web%20app%20to%20validate%20if%20the%20user%20has%20the%20Admin%20role.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EApplication%20registration%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_0-1612072343006.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250782iCB1709B3129696FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_0-1612072343006.png%22%20alt%3D%22Yixuan_Wang_0-1612072343006.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3E1)%20AAD%20web%20app%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EThe%20first%20application%20we%20need%20to%20register%20in%20Azure%20AD%20is%20a%20web%20app%2C%20represents%20the%20cluster.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EIn%20authentication%20blade%2C%20we%20will%20configure%20like%20this%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ERedirect%20URLs%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3E%3CA%20href%3D%22https%3A%2F%2Fmysftestcluster.eastus.cloudapp.azure.com%3A19080%2FExplorer%2Findex.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fmysftestcluster.eastus.cloudapp.azure.com%3A19080%2FExplorer%2Findex.html%3C%2FA%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EImplicit%20grant%20and%20hybrid%20flows%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EID%20tokens%20(used%20for%20implicit%20and%20hybrid%20flows)%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ESupported%20account%20types%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EAccounts%20in%20this%20organization%20directory%20only%20(Single%20tenant)%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAllow%20Public%20client%20flows%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3ENo%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_1-1612072343019.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250784iC0766AC0E8C13909%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_1-1612072343019.png%22%20alt%3D%22Yixuan_Wang_1-1612072343019.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EUser%20Role%20assignment%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20need%20to%20create%20an%20Admin%20App-Role%20for%20the%20cluster%20app.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_2-1612072343024.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250783i1D9F4F750EDF2FDE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_2-1612072343024.png%22%20alt%3D%22Yixuan_Wang_2-1612072343024.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EIn%20App%20roles%20blade%2C%20we%20create%20app%20role%20with%20below%20configurations.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EDisplay%20name%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EAdmin%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAllowed%20member%20types%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EUsers%2FGroups%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EValue%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EAdmin%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EDescription%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EAdmin%20role%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_3-1612072343026.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250785iAC1EBAA3701D835B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_3-1612072343026.png%22%20alt%3D%22Yixuan_Wang_3-1612072343026.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EThen%20we%20will%20go%20to%20%3CSTRONG%3EEnterprise%20applications%3C%2FSTRONG%3E%20blade%20of%20Azure%20AD.%20Go%20to%20overview%20the%20page%20of%20the%20applications%20we%20created.%20In%20Getting%20started%20section%2C%20we%20will%20see%20%E2%80%9CAssign%20users%20and%20groups.%E2%80%9D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20will%20add%20a%20user%20as%20Admin%20so%20that%20user%20can%20access%20SF%20connection%20endpoint%20with%20Azure%20AD.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_4-1612072343030.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250786iB4C7BC2CE3493389%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_4-1612072343030.png%22%20alt%3D%22Yixuan_Wang_4-1612072343030.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_5-1612072343036.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250787iE3C8335A353973DF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_5-1612072343036.png%22%20alt%3D%22Yixuan_Wang_5-1612072343036.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EExpose%20API%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20need%20to%20expose%20the%20authentication%20API%20of%20the%20web%20app%20so%20that%20the%20client%20app%20like%20powershell%20can%20use%20it%20to%20sign%20in%20the%20admin%20user.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_6-1612072343040.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250789iCA7EB1375E7C820D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_6-1612072343040.png%22%20alt%3D%22Yixuan_Wang_6-1612072343040.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_7-1612072343043.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250788i8EF27A15769BAE53%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_7-1612072343043.png%22%20alt%3D%22Yixuan_Wang_7-1612072343043.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3ESteps%20are%20done%20for%20the%20AAD%20web%20app%20here.%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3E2)%20AAD%20client%20app%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EThe%20second%20application%20we%20need%20to%20register%20in%20Azure%20AD%20is%20a%20Desktop%2FNative%20app%2C%20it%20represents%20tools%20like%20SF%20Powershell%20module.%20(Connect-ServiceFabricCluster)%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EIn%20the%20authentication%20blade%2C%20we%20will%20configure%20like%20this%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ERedirect%20URLs%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient%3C%2FA%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3E%3CA%20href%3D%22https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf%3C%2FA%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3Emsal29a2c311-3290-471b-a431-66f0d971a668%3A%2F%2Fauth%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3Eurn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ESupported%20account%20types%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EAccounts%20in%20this%20organization%20directory%20only%20(Single%20tenant)%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAllow%20Public%20client%20flows%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EYes%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_8-1612072343052.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250790i2EC1C2A2D2C6589D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_8-1612072343052.png%22%20alt%3D%22Yixuan_Wang_8-1612072343052.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EAdd%20API%20Permission%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAAD%20client%20needs%20this%20config%20so%20it%20can%20call%20the%20API%20we%20just%20exposed%20on%20AAD%20web%20app.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAdd%20a%20permission%20%3D%26gt%3B%20My%20APIs%20%3D%26gt%3B%20your%20cluster%20web%20app%20%3D%26gt%3B%20user_impersonation%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_9-1612072343059.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250792i5734ED75A676C760%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_9-1612072343059.png%22%20alt%3D%22Yixuan_Wang_9-1612072343059.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3ESteps%20are%20done%20for%20the%20AAD%20client%20app%20here.%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EAdd%20the%20above%20AAD%20config%20to%20the%20service%20fabric%20cluster%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EIn%20Security%20blade%20of%20service%20fabric%20cluster%2C%20we%20will%20add%20a%20security%20setting.%20Fill%20in%20the%20application%20ID%20of%20the%20two%20AAD%20apps%20we%20just%20created.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_0-1612075473650.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250794i6F818E44DC17C331%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_0-1612075473650.png%22%20alt%3D%22Yixuan_Wang_0-1612075473650.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_1-1612075473654.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250795i54E6618D0D1B2406%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_1-1612075473654.png%22%20alt%3D%22Yixuan_Wang_1-1612075473654.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EDone%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ENow%20you%20should%20be%20able%20to%20use%20AAD%20to%20connect%20service%20fabric%20cluster.%20And%20the%20browser%20will%20not%20prompt%20the%20certificate%20list%20for%20SFX.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_10-1612072343063.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250791i7CF95A46B5C3A13B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_10-1612072343063.png%22%20alt%3D%22Yixuan_Wang_10-1612072343063.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EIf%20the%20process%20does%20not%20go%20as%20smoothly%20as%20expected%2C%20there%20is%20a%20troubleshooting%20section%20in%20the%20doc.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fservice-fabric%2Fservice-fabric-cluster-creation-setup-aad%23troubleshooting-help-in-setting-up-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fservice-fabric%2Fservice-fabric-cluster-creation-setup-aad%23troubleshooting-help-in-setting-up-azure-active-directory%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EYou%20can%20also%20read%20the%20Powershell%20script%20provided%20in%20our%20official%20documentation%20to%20understand%20what%20has%20been%20done.%20This%20is%20a%20steps-by-steps%20guide%20for%20users%20who%20prefer%20Azure%20Portal.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2109183%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20connect%20to%20service%20fabric%E2%80%99s%20management%20endpoint%2C%20we%20will%20need%20to%20provide%20certificate%20information%20to%20pass%20authentication.%20However%2C%20we%20can%20also%20use%20Azure%20AD%20for%20authentication.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2109183%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Service%20Fabric%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

When we connect to service fabric’s management endpoint, we will need to provide certificate information to pass authentication. However, we can also use Azure AD for authentication.

 

Here is our official documentation on how to use Azure AD to authenticate service fabric connection endpoint. It uses Powershell script to create two applications in the Azure AD resource.

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-setup-aad

 

We can also do these steps manually with UI in Azure Portal.

 

Abstract at the beginning of the blog:

 

The service fabric cluster here will be treated as an AAD web app. When users access it with browser, it will pop the sign in box and navigate back to the provided reply URL after authentication just like any web OAuth process.

 

When user access it with client tool like SF Powershell module, the AAD client app here will sign in the user, then use the exposed API from AAD web app to validate if the user has the Admin role.

 

Application registration:

 

Yixuan_Wang_0-1612072343006.png

 

1) AAD web app

 

The first application we need to register in Azure AD is a web app, represents the cluster.

In authentication blade, we will configure like this:

Redirect URLs

Implicit grant and hybrid flows

  • ID tokens (used for implicit and hybrid flows)

Supported account types:

  • Accounts in this organization directory only (Single tenant)

Allow Public client flows:

  • No

 

Yixuan_Wang_1-1612072343019.png

 

 

User Role assignment:

 

We need to create an Admin App-Role for the cluster app.

 

Yixuan_Wang_2-1612072343024.png

 

In App roles blade, we create app role with below configurations.

 

Display name:

  • Admin

Allowed member types:

  • Users/Groups

Value

  • Admin

Description:

  • Admin role

 

Yixuan_Wang_3-1612072343026.png

 

Then we will go to Enterprise applications blade of Azure AD. Go to overview the page of the applications we created. In Getting started section, we will see “Assign users and groups.”

We will add a user as Admin so that user can access SF connection endpoint with Azure AD.

 

Yixuan_Wang_4-1612072343030.png

 

 

Yixuan_Wang_5-1612072343036.png

 

 

Expose API

 

We need to expose the authentication API of the web app so that the client app like powershell can use it to sign in the admin user.

 

Yixuan_Wang_6-1612072343040.png

 

Yixuan_Wang_7-1612072343043.png

 

Steps are done for the AAD web app here.

 

2) AAD client app

 

The second application we need to register in Azure AD is a Desktop/Native app, it represents tools like SF Powershell module. (Connect-ServiceFabricCluster)

 

In the authentication blade, we will configure like this:

 

Redirect URLs

 

Supported account types:

  • Accounts in this organization directory only (Single tenant)

Allow Public client flows:

  • Yes

 

Yixuan_Wang_8-1612072343052.png

 

Add API Permission

 

AAD client needs this config so it can call the API we just exposed on AAD web app.

Add a permission => My APIs => your cluster web app => user_impersonation

 

Yixuan_Wang_9-1612072343059.png


Steps are done for the AAD client app here.

 

Add the above AAD config to the service fabric cluster

In Security blade of service fabric cluster, we will add a security setting. Fill in the application ID of the two AAD apps we just created.

 

Yixuan_Wang_0-1612075473650.png

 

Yixuan_Wang_1-1612075473654.png

 

Done

 

Now you should be able to use AAD to connect service fabric cluster. And the browser will not prompt the certificate list for SFX.

 

Yixuan_Wang_10-1612072343063.png

 

If the process does not go as smoothly as expected, there is a troubleshooting section in the doc.

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-setup-aad#trou...

 

You can also read the Powershell script provided in our official documentation to understand what has been done. This is a steps-by-steps guide for users who prefer Azure Portal.