Azure App Configuration for SecureMFA Apps
SecureMFA provider apps that support Azure cloud services will require Azure App Configuration setup to store configuration data. All providers load data from the Azure App Configuration store during the start; if you need to update values in the store, you must restart the app service to read new values.
Note: This configuration is not applicable for providers below major version 188.8.131.52 as those will be keeping configuration data in "SecureMfa[product]OtpProvider.json" file locally.
The deployment steps below use the latest Powershell modules (Az.Accounts , Az.AppConfiguration and Az.Resources) to provide a new app configuration store and upload default "key-value" pairs. The same steps can also be completed using the Azure Portal Web interface.
Create an App Configuration Store
App Configuration store can be FREE tier SKU or above.
#Deploying AzureAD resources into a dedicated resource group for the WEB API Service with Variables
#Create New AzResourceGroup for resources deployment
#Create an App Configuration store
Get an App Configuration Details
Get the App Configuration store Read Only Endpoint string to use in WEB API appsettings.json for AppConfigReadOnlyKey and App Configuration store Endpoint URL details.
Display App Configuration Read Only Endpoint string to use in WEB API appsettings.json file
Sample output which you will need to capture for app configuration tasks:
Configure Default Key-Values for Providers
Each SecureMFA provider app must have default values loaded to work. The user performing the commands below must have the "App Configuration Data Owner" role assigned in the App Configuration store.
Default Key-Values for WEB-API App
The WEB API app must have default values loaded into the App Configuration store with exact name and label values. App configuration load keys from the configuration store by using KeyFilter = "sMFA:*" and LabelFilter = "Prod"
Below App Configuration Store Explorer view for above values
Configure Key-Values with Powershell
Key Vault References
You can replace Key-Values with Key Vault references for better security on secret keys. This allows value storage in Azure Key vault service for better secret security. To use this capability, you will need to provision Azure Key Vault service and assign app service managed identity to the below roles. Note: Key name and Label value must match default values for the app
Minimal AppConfiguration Service Roles: "App Compliance Automation Reader" & "App Configuration Data Reader"
Minimal KeyVault Service Roles: "App Compliance Automation Reader" & "Key Vault Secrets User"
You can configure apps to access the App Configuration Store with a managed identity. To use this capability, you will need to provision app service managed identity minimal roles access "App Compliance Automation Reader" & "App Configuration Data Reader" .
During app configuration tasks, you must update the appsettings.json file with ManagedIdentity = true, as per the example below. Note: Only AppConfig value is required when accessing the App Configuration Store with managed identity.