This article is contributed. See the original author and article here.

 


Here is our official documentation on how to use Azure AD to authenticate service fabric connection endpoint. It uses Powershell script to create two applications in the Azure AD resource.


https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-setup-aad


 


We can also do these steps manually with UI in Azure Portal.


 


Abstract at the beginning of the blog


 


The service fabric cluster here will be treated as an AAD web app. When users access it with browser, it will pop the sign in box and navigate back to the provided reply URL after authentication just like any web OAuth process.


When user access it with client tool like SF Powershell module, the AAD client app here will sign in the user, then use the exposed API from AAD web app to validate if the user has the Admin role.


 


Application registration:


 


Yixuan_Wang_0-1611935769864.png


 


 


1) AAD web app


 


The first application we need to register in Azure AD is a web app, represents the cluster.


In authentication blade, we will configure like this:


 


Redirect URLs



Implicit grant and hybrid flows



  • ID tokens (used for implicit and hybrid flows)


Supported account types:



  • Accounts in this organization directory only (Single tenant)


Allow Public client flows:



  • No


 


Yixuan_Wang_1-1611935769875.png


 


 


User Role assignment:


 


We need to create an Admin App-Role for the AAD web app.


 


Yixuan_Wang_2-1611935769881.png


 


 


In App roles blade, we create app role with below configurations.


 


Display name:



  • Admin


Allowed member types:



  • Users/Groups


Value



  • Admin


Description:



  • Admin role


Yixuan_Wang_3-1611935769882.png


 


Then we will go to Enterprise applications blade of Azure AD. Go to overview the page of the applications we created. In Getting started section, we will see “Assign users and groups.”


We will add a user as Admin so that user can access SF connection endpoint with Azure AD.


 


Yixuan_Wang_4-1611935769887.png


 


 


Yixuan_Wang_5-1611935769891.png


 


 


 


Expose API


 


We need to expose the authentication API of the web app so that the client app like Powershell can use it to sign in the admin user.


 


Yixuan_Wang_6-1611935769895.png


 


Yixuan_Wang_7-1611935769897.png


 


Steps are done for the AAD web app here.


 


2) AAD client app


 


The second application we need to register in Azure AD is a Desktop/Native app, it represents tools like SF Powershell module. (Connect-ServiceFabricCluster)


 


In the authentication blade, we will configure like this:


 


Redirect URLs



 


Supported account types:



  • Accounts in this organization directory only (Single tenant)


Allow Public client flows:



  • Yes


Yixuan_Wang_8-1611935769905.png


 


 


Add API Permission


 


AAD client needs this config so it can call the API we just exposed on AAD web app.


 


Add a permission => My APIs => your cluster web app => user_impersonation


 


Yixuan_Wang_9-1611935769912.png


 



Steps are done for the AAD client app here.


 


Done


 


Now you should be able to use AAD to connect service fabric cluster. And the browser will not prompt the certificate list for SFX.


 


Yixuan_Wang_10-1611935769916.png


 


 


If the process does not go as smoothly as expected, there is a troubleshooting section in the doc.


https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-setup-aad#troubleshooting-help-in-setting-up-azure-active-directory


 


You can also read the Powershell script provided in our official documentation to understand what has been done. This is a steps-by-steps guide for users who prefer Azure Portal.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: