Azure Web App use certificate from app registration to authenticate users

Question

Currently, I have an App Service (.NET 7) in Azure, which uses the Microsoft Entra (formerly Azure Active Directory) identity provider to authenticate users into the application. There is an associated App Registration as well.

I use the client secret from the app registration to tie the two together in the Authentication section of the app service. Instead of using the client secret, I would like to use a certificate instead. I have generated a certificate using key vault and uploaded it to the app registration. Is it possible to use this certificate to connect the identity provider? If so, how?

I have tried looking through all the settings and various ways to configure the authentication but did not find a way to do this.

I did also see this other post which implied it's possible, but I am not sure: Azure App Registration using Managed Identities instead of Client Secrets

Answer 1

You have download the .cer file and upload to app registeration. You will need also download the .pfx file.(contains cert+key)

You should have the appsettings.json where you put the client secret like below.

{
 "AzureAd": {
   "Instance": "https://login.microsoftonline.com/",
   "TenantId": "yourdomain.onmicrosoft.com",
   "ClientId": "1b4649ec-1111-2222-9821-bf5efe85ffdb",
   "ClientCredentials": [
   {
     "SourceType": "ClientSecret",
     "ClientSecret": "your client secret here"
   }
  ]
 }
}

Just change the "clientCredentials" part to your pfx file:

  "ClientCredentials": [
  {
    "SourceType":  "Path",
    "CertificateDiskPath":  "<PATH_TO_YOUR_CERTIFICATE_FILE>",
    "CertificatePassword":  "<CERTIFICATE_PASSWORD>"
  }

Reference https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph#add-the-certificate-for-the-daemon-console-application-in-azure-ad