How to configure Service Fabric to use AAD for client authentication

This blob post is intended to compliment the official doc which I personally don’t find helpful and comprehensive enough.

The configuration that works for me consists of 3 parts:

  1. Cluster ARM template change
  2. AAD app for the cluster identity (let’s call it client)
  3. AAD app for the users to access SFE (let’s call it cluster)

First you make the changes in your ARM template for the cluster and deploy:

"variables": {
  "clientAadAppId": "{client app id}",
  "clusterAadAppId": "{cluster app id}"
},
"resources": [
  {
    "type": "Microsoft.ServiceFabric/clusters",
    "apiVersion": "[variables('sfApiVersion')]",
    "name": "[parameters('clusterName')]",
    "location": "[parameters('location')]",
    "properties": {
      "addonFeatures": [],
      "azureActiveDirectory": {
        "tenantId": "[subscription().tenantId]",
        "clientApplication": "[variables('clientAadAppId')]",
        "clusterApplication": "[variables('clusterAadAppId')]"
      },
      "certificateCommonNames": {},
      "clientCertificateCommonNames": [],
      "clientCertificateThumbprints": [],
      "diagnosticsStorageAccountConfig": {},
      "fabricSettings": [],
      "managementEndpoint": "",
      "reliabilityLevel": "[variables('reliabilityLevel')]",
      "upgradeMode": "Automatic",
      "vmImage": "Windows"
    }
  }
]

Then you create 2 third-party AAD applications and edit their manifests.

For the client app where you specify the Microsoft Graph and cluster app ids:

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "{random guid}",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "{cluster app id}",
    "resourceAccess": [
      {
        "id": "{your guid}",
        "type": "Scope"
      }
    ]
  }
],
"oauth2Permissions": [
  {
    "adminConsentDescription": "Allow the application to access SF Cluster Management application on behalf of the signed-in user.",
    "adminConsentDisplayName": "Access SF Cluster",
    "id": "{your guid}",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "type": "User",
    "userConsentDescription": "Allow the application to access SF Cluster Management application on your behalf.",
    "userConsentDisplayName": "Access SF Cluster",
    "value": "user_impersonation"
  }
]

And for the cluster app where you specify what roles have what permissions:

"appRoles": [
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "ReadOnly roles have limited access",
    "displayName": "ReadOnly",
    "id": "{random guid}",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "User"
  },
  {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Admins roles can perform all tasks",
    "displayName": "Admin",
    "id": "{random guid}",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Admin"
  }
]

And finally add your cluster’s SFE endpoint to the the Authentication section

https://{clusterName}.{clusterLocation}.cloudapp.azure.com:19080/Explorer/index.html

And finally go to the cluster app Overview and click Managed application in local directory, select Users and Group and assign permissions to your AAD groups you want to be Users or Admins.

That’s it, folks!

This entry was posted in Infrastructure and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.