Azure App Configuration for SecureMFA Apps

SecureMFA provider apps that support Azure cloud services will require Azure App Configuration setup to store configuration data.  All providers load data from the Azure App Configuration store during the start; if you need to update values in the store, you must restart the app service to read new values.

Note: This configuration is not applicable for providers below major version 3.0.0.0 as those will be keeping configuration data in "SecureMfa[product]OtpProvider.json" file locally.

The deployment steps below use the latest Powershell modules (Az.Accounts , Az.AppConfiguration and Az.Resources) to provide a new app configuration store and upload default "key-value" pairs. The same steps can also be completed using the Azure Portal Web interface.

Create an App Configuration Store

App Configuration store can be FREE tier SKU or above.

#Deploying AzureAD resources into a dedicated resource group for the WEB API Service with Variables

$AzResourceGroup = "azsu-sMFA-WebAPI"

$AzResourceLocation = "uksouth"

$AzAppConfigurationName = "My-Configuration-Store"

#Create New AzResourceGroup for resources deployment

New-AzResourceGroup -Name $AzResourceGroup -Location $AzResourceLocation 

#Create an App Configuration store

New-AzAppConfigurationStore -Name $AzAppConfigurationName -ResourceGroupName $AzResourceGroup -Location $AzResourceLocation -Sku Free

Get an App Configuration Details

Get the App Configuration store Read Only Endpoint string to use in WEB API appsettings.json for AppConfigReadOnlyKey and App Configuration store  Endpoint URL details.

$AzAppConfigurationReadOnlyKey=(Get-AzAppConfigurationStoreKey -Name $AzAppConfigurationName -ResourceGroupName $AzResourceGroup | where {$_.Name -eq "Primary Read Only"}).ConnectionString

$match = select-string "\=(.*?)\;Id" -inputobject $AzAppConfigurationReadOnlyKey

$AzAppConfigurationEndpointURL=$match.matches.groups[1].value

Display App Configuration Read Only Endpoint string to use in WEB API appsettings.json file

"AppConfigReadOnlyKey:" + $AzAppConfigurationReadOnlyKey + "`nAppConfig:" + $AzAppConfigurationEndpointURL

Sample output which you will need to capture for app configuration tasks:

Configure Default Key-Values for Providers

Each SecureMFA provider app must have default values loaded to work. The user performing the commands below must have the "App Configuration Data Owner" role assigned in the App Configuration store.

Default Key-Values for WEB-API App

The WEB API app must have default values loaded into the App Configuration store with exact name and label values. App configuration load keys from the configuration store by using KeyFilter = "sMFA:*" and LabelFilter = "Prod"

Key="sMFA:WEBAPI:Settings:Company" Label="Prod" Value="MyCompany" 

Key="sMFA:WEBAPI:Settings:Serialkey" Label="Prod" Value="m00000000" 

Key="sMFA:WEBAPI:Settings:SubscriptionID" Label="Prod" Value="1000000000000000000000001"

Key="sMFA:WEBAPI:Settings:AWSConnectWidgetService" Label="Prod" Value="SecureMFA_Demo_Chat_Flow" 

Key="sMFA:WEBAPI:Settings:AWSConnectWidgetJWTValidMinutes" Label="Prod" Value="10" 

Key="sMFA:WEBAPI:Settings:AWSConnectWidgetKeyId" Label="Prod" Value="00000000-0000-0000-0000-000000000000" 

Key="sMFA:WEBAPI:Settings:AWSConnectWidgetPrivateKey" Label="Prod" Value="AbcdBrhEaxLELcov+UvoZsQyORmkanfg1ZYnHA0emzo=" 

Below App Configuration Store Explorer view for above values

Configure Key-Values with Powershell

$AppConfig = "https://my-configuration-store.azconfig.io"

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:Company" -Label "Prod" -Value "MyCompany" 

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:Serialkey" -Label "Prod" -Value "m00000000" 

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:SubscriptionID" -Label "Prod" -Value "1000000000000000000000001"

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:AWSConnectWidgetService" -Label "Prod" -Value "SecureMFA_Demo_Chat_Flow" 

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:AWSConnectWidgetJWTValidMinutes" -Label "Prod" -Value "10" 

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:AWSConnectWidgetKeyId" -Label "Prod" -Value "00000000-0000-0000-0000-000000000000" 

Set-AzAppConfigurationKeyValue -Endpoint $AppConfig -Key "sMFA:WEBAPI:Settings:AWSConnectWidgetPrivateKey" -Label "Prod" -Value "AbcdBrhEaxLELcov+UvoZsQyORmkanfg1ZYnHA0emzo=" 

Key Vault References

You can replace Key-Values with Key Vault references for better security on secret keys. This allows value storage in Azure Key vault service for better secret security. To use this capability, you will need to provision Azure Key Vault service and assign app service managed identity to the below roles.  Note: Key name and Label value must match default values for the app

Managed Identity

You can configure apps to access the App Configuration Store with a managed identity. To use this capability, you will need to provision app service managed identity minimal roles access "App Compliance Automation Reader" & "App Configuration Data Reader" .   

During app configuration tasks, you must update the appsettings.json file with ManagedIdentity =  true, as per the example below. Note: Only AppConfig value is required when accessing the App Configuration Store with managed identity.

"AppConfigReadOnlyKey": "Endpoint=https://my-configuration-store.azconfig.io;Id=Q+va;Secret=9F4D1kxYMFOvU45n+4i78OibXdI94DfpFLrmpYRgq+s=",

"AppConfig": "https://my-configuration-store.azconfig.io",

"ManagedIdentity": "true"