AAD Setup Assistance - Githubissues

microsoft / navcontainerhelper

Official Microsoft repository for BcContainerHelper, a PowerShell module, which makes it easier to work with Business Central Containers on Docker.

MIT License

382 stars 243 forks source link

AAD Setup Assistance #1020

Closed XVII closed 4 years ago

XVII commented 4 years ago

Is there a simple guide for what's required for AAD setup? The Azure AD properties are a little unclear as to what's required.

I've set the auth param and authenticationEmail but failing on login.

It seems to be using my Web Client URL to pass as the Application Identifier to Azure AD. Azure AD doesn't let you set AAD Application Identifiers that have a trailing /. For example, it's currently passing http://bcdev2:1000/BC/ where as my App Registration can only have http://bcdev2:1000/BC.

Should I be setting something here? https://github.com/microsoft/navcontainerhelper/blob/731c0628de26de98c433b12c6bee13c35eaa81ca/ContainerHandling/New-NavContainer.ps1#L1168

freddydk commented 4 years ago

I think the documentation you look for is here: https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-active-directory There is also a function called Create-AadAppsForBC - which creates the AAD apps needed (this is used when setting up AAD auth with Azure VMs using http://aka.ms/getbc)

XVII commented 4 years ago

Thanks -- I'm comfortable with setting it up on-prem, etc. Just a bit unsure what the intended steps are for NavContainerHelper specifically. I'd previously asked about passing in WS-federationEndpoint but ended up pushing it in via CustomNavSettings

Perhaps the Create-AadAppsForBc lets me bypass the trailing slash requirement?

EDIT: Yep, so creating via the PowerShell helper bypasses the trailing slash restrictions imposed by the front end. Probably best that it just confirms in the first place with that requirement?

freddydk commented 4 years ago

The $acsuri you found above is for clientusersettings (for the Windows Client in versions where that is used). The variables used to set this up are set in the container here: https://github.com/microsoft/nav-docker/blob/41796ee3f2d5eabede075107a923f718f2d79c3d/generic/Run/SetupVariables.ps1#L193

and used here: https://github.com/microsoft/nav-docker/blob/41796ee3f2d5eabede075107a923f718f2d79c3d/generic/Run/SetupConfiguration.ps1#L81

What you are looking for is maybe that you can pass an -additionalparameter to new-bccontainer with --env appiduri=uri which then will be used as the appiduri. If that isn't set, it uses the publicwebbaseurl