How to Do APP to APP based authentication for Azure AAD applications

Sometimes you need to do app to app based authentication in your applications/services to prevent unauthorized access to your services . Example you may have a service A which needs to be accessed by another service, you can either configure a username/password based authentication or certification based authentication or a simple app to app based authorization. 

To enable Azure AAD App to App based authentication, you need to do the following changes : 

1)  First in your issuer / authorizing apps app manifest, declare some roles which can be applied to applications. 

{
            "allowedMemberTypes": [
                "User",
                "Application"
            ],
            "description": "Some app role which also needs app based auth",
            "displayName": "SERVICE_APPLICATION_ROLE",
            "id": "23d29786-d213-40f6-ad11-ddf9f7d71d30",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "SERVICE_APPLICATION_ROLE"
        },

2) Next in your consumer /contacting service request access to the producer/servicing access from MS portal API permissions section

Pic 1

3) in your consumer/client service have a configuration section defined as :

 "AzureAdConfig": {
    "ClientId": "5186aaaf-d222-458d-83c1-faa73773bbc",
    "ClientSecret": "SOME-clIenT=SEcret.7&---",
    "TenantId": "a263c89-4222-4555a-222c-6fe11111cb"
  },

 Next bind this section in your application config as : 

AzureAdConfig azureAdConfig = new AzureAdConfig();
this.configuration.Bind("AzureAdConfig", azureAdConfig);

and then authenticate it as follows : 

var app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
               .WithClientSecret(config.ClientSecret)
               .WithAuthority(AadAuthorityAudience.AzureAdMyOrg)
               .WithTenantId(config.TenantId)
               .Build();
//auth scopes API is the api guid of the authorizing app (check image below Pic 2)
List<string> authScopes = new List<string> { "api://f1ffff77-f224-456a-8222-3777773/.default"};
var result = await app.AcquireTokenForClient(authScopes).ExecuteAsync();
            return result.AccessToken;

Next you can use this token to make all service to service calls 

Pic 2

Configure / Bind application with Azure Key Vault

As good development practice teams should not check-in any secrets/configuration setting like DB connection strings, usernames, passwords. Instead they should be be kept in safe stores like key vault and accessed directly from your application, without much ado/difficulty. 

 If you need to configure your application with Azure key vault for reading all your application configuration keys / settings, then do the following changes in your application and it would bind the appsettings.config with the keyvault of your settings/configuration. 

Here the following settings you need to do in your code : 

using Microsoft.AspNetCore.Hosting;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;
using Microsoft.Extensions.Hosting;

namespace Sample.Parag.KeyVaultExample.TestWF
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
             .ConfigureAppConfiguration(async (builder) =>
             {
                 var builtConfig = builder.Build();
                 var keyVaultName = builtConfig["KeyVaultName"];
                 var azureServiceTokenProvider = new AzureServiceTokenProvider();
                 var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
                 builder.AddAzureKeyVault(
                   $"https://{keyVaultName}.vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager());
             })
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup<Startup>();
                });
    }
}

Here KeyVaultName in buildConfig["KeyVaultName"], is defined in appsettings.json , and it is the name of keyvault name. 

like 

...

"KeyVaultName": "azureApp-key-vaultName",

...

Next you can start accessing any secret stored in Azure Key Vault like this : 

        public string GetFooFunc()
        {
            return this.config["SomeKeyName"];
        }