Azure-docs: unable to get it to work with AADGroup

Created on 26 Sep 2019 · 9Comments · Source: MicrosoftDocs/azure-docs

hello,

The steps show how to configure an AADGroup with the MSI as a member and then add the group to db roles. However, once launched, the app was apparently unable to connect to its database with this configuration (error 500 or 502, no details with customErrors on). After many validations, looking at objectIds, group, db roles config, ... no obvious typos were found in my setup. Then I tried another configuration found on the web, which create an user with the name to the app service name.

CREATE USER [your_app_service_name] FOR EXTERNAL PROVIDER; -- creates a user with Azure Active Directory mapped to the App Service Principal
ALTER ROLE db_owner ADD MEMBER [your_app_service_name];
GO;

Then it worked right away. Any ideas why the AADGroup would not work?

thanks.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 31b0d33c-f88e-d50c-2926-7933940f3b92
Version Independent ID: 4aaef906-f501-6947-5d23-1b704470f09d
Content: Secure SQL Database connection with managed identity - Azure App Service
Content Source: articles/app-service/app-service-web-tutorial-connect-msi.md
Service: app-service-web
GitHub Login: @cephalin
Microsoft Alias: cephalin

Pri1 app-service-wesvc assigned-to-author product-issue triaged

Source

bouchaet

Most helpful comment

I retested the scenario yesterday with the ASP.NET Framework sample (previously used the ASP.NET Core sample) and finally reproduced the 500 timeout error, which I resolved by updating the AppAuthentication library to the latest version. Probably some service changes don't play well with the old library.

I've updated the doc accordingly and it should be published sometime today. The updated steps also shows the AAD group step as optional, since SQLDB now supports adding an AAD user directly.

please-close

cephalin on 20 Nov 2019

👍2

All 9 comments

@bouchaet, Thanks for the question! We are taking a look into this and will get back to you soon.

AjayKumar-MSFT on 26 Sep 2019

@bouchaet, Apologies for the delay in responding! I have performed initial investigation with the information you had shared and since it doesn't seem to be a doc related feedback, I will engage with you offline further, so could you please send an email to AzCommunity[at]Microsoft[dot]com referencing this GitHub issue. As we will work with you offline, I will now proceed to close this thread.

AjayKumar-MSFT on 30 Sep 2019

I can confirm that this does not seem to work:
CREATE USER [identity_name] FROM EXTERNAL PROVIDER;
and this definitely does:
CREATE USER [identity_name] FOR EXTERNAL PROVIDER;

Adding the group didn't work at all, using FROM or FOR didn't make a difference.

I'm not running from an app service btw, but aspnet core on AKS

PeterRockstars on 1 Oct 2019

Thanks for the response and sharing additional details! I will test on this scenario and get back to you soon.

AjayKumar-MSFT on 1 Oct 2019

Hi, I'm glad to see that we can confirm a potential problem for AAD group.

bouchaet on 3 Oct 2019

hello, I am facing similar problems which were mentioned by bouchaet. Wanted to check if the issue has been acknowledged and confirmed.

saurabhvartak1982 on 30 Oct 2019

Apologies for the delay on this! We had been discussing on this internally.
@cephalin, Requesting your comments on this.

AjayKumar-MSFT on 31 Oct 2019

@bouchaet @PeterRockstars @saurabhvartak1982 I just tested the scenario in the doc today and cannot reproduce the issue. Everything connects as expected both from App Service and from Visual Studio.

If you're running a scenario that's not the same as what's in the doc (AKS, for example), you'll need to read up on AKS docs for information, or engage with the forum for help. Thank you.

cephalin on 14 Nov 2019

👍2

I've updated the doc accordingly and it should be published sometime today. The updated steps also shows the AAD group step as optional, since SQLDB now supports adding an AAD user directly.