Skip to main content

Create an App Service for the EntraID SCIM Microservice

EmpowerID uses the EntraID SCIM Microservice to make API calls to your Azure tenant in response to your actions in EmpowerID. As part of the deployment process for the microservice, an app service needs to be created to host the microservice and configured for EntraID authentication, as well as with a managed identity that can be granted permissions to access resources protected by EntraID.

To create and configure the app service, you need to complete the following tasks:

  1. Create the app service
  2. Configure the app service to authenticate to EntraID using the service principal you created earlier
  3. Create a managed identity for the app service

Create the app service

  1. In Azure, navigate to All Services > App services and click Create.
  2. Under Project Details, select a Subscription and Resource Group for the App Service. If desired, you can create a new Resource Group.
  3. Under Instance Details, do the following:
  • Name – Enter a name for the Web App.
  • Publish – Select Code.
  • Runtime Stack – Select .NET 6.
  • Operating System – Select Linux.
  • Region – Select the appropriate region.
  1. Under App Service Plan, select an existing Linux Plan or create a new one.
  2. Click Review + Create.
  3. Click Create.
  4. After deployment completes, click Go to Resource and copy the URL from the Overview page. You will need this when you configure the app service for the EmpowerID EntraID SCIM Microservice.

Configure authentication

  1. Navigate to the Authentication blade for the app service and click Add identity provider.
  2. Select Microsoft.
  3. Add the following identity provider information:
  4. App registration type – Select Pick an existing app registration in this directory.
  5. Name or app ID – Select the service principal you created to provide EntraID authentication for the microservice.
  6. Issuer URL – Enter https://login.microsoftonline.com/<Your Tenant ID>
  7. Restrict access – Select Require authentication.
  8. Unauthenticated requests – Select HTTP 401 Unauthorized: recommended for APIs.
  9. Token Store – Leave selected.
  10. Click Add.
  11. After adding the Identity provider, click the Edit link for it.
  12. Set the Issuer URL to https://login.microsoftonline.com/<Your Tenant ID>.
  13. Under Allowed token audiences enter the URL for the app service.
  14. Click Save.

Configure identity

Azure Managed Identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure AD authentication. For the EntraID SCIM microservice, you can choose between two types of managed identities based on your organizational requirements and deployment architecture.

Managed Identity Selection Guide

System-Assigned Managed Identity (App Service lifecycle-bound, unique per resource)

  • Single App Service Deployment: Standard single-instance deployment
  • Simplified Management: Minimal administrative overhead, automatic cleanup
  • Environment Isolation: Complete identity isolation between environments (dev, test, prod)
  • Standard Deployments: Straightforward deployment path with least complexity

User-Assigned Managed Identity (Independent lifecycle, shareable across resources)

  • Multi-Instance Deployments: Multiple SCIM connector instances across App Services or regions
  • High Availability Scenarios: Active-passive or load-balanced configurations
  • Shared Resource Access: Multiple Azure resources requiring identical EntraID permissions
  • Blue-Green Deployments: Identity persistence across App Service replacements
  • Cross-Environment Consistency: Same identity across deployment slots or environments
  • Independent Permission Management: Permissions managed separately from App Service lifecycle
  • Compliance Requirements: Explicit identity management and tracking needs

Create Managed Identity Options

  1. Navigate to the Identity blade for the app service.
  2. Under the System assigned tab, turn on the Status toggle to create the managed identity.
  3. Click Save and then click Yes to confirm that you want to enable system assigned managed identity.

Option 2: User-Assigned Managed Identity (For advanced scenarios)

Step 1: Create the User-Assigned Managed Identity

  1. In Azure, navigate to All Services > Managed Identities.

  2. Click Create to create a new user-assigned managed identity.

  3. Configure the following:

    • Subscription: Select your target subscription
    • Resource Group: Choose the same resource group as your App Service (recommended) or a dedicated identity resource group
    • Region: Must be the same region as your App Service
    • Name: Use a descriptive name like eid-scim-connector-identity or empowerid-entraid-connector-mi

  4. Click Review + Create and then Create.

  5. After creation, copy the Client ID and Principal ID from the identity's overview page - you'll need these for permission assignments.

Step 2: Assign the User-Assigned Identity to the App Service

  1. Navigate to your App Service's Identity blade.
  2. Select the User assigned tab.
  3. Click Add to add a user-assigned managed identity.
  4. Select your subscription and choose the user-assigned managed identity you created.
  5. Click Add to associate the identity with your App Service.

Step 3: Configure Authentication to Use the User-Assigned Identity

When configuring authentication in the App Service, you'll need to specify which managed identity to use:

  1. Navigate to your App Service's Configuration blade.

  2. Under Application settings, click New application setting.

  3. Add the following environment variable:

    • Name: AzureServicesAuthConnectionString
    • Value: RunAs=App;AppId=<CLIENT_ID_OF_USER_MANAGED_IDENTITY>

    Replace <CLIENT_ID_OF_USER_MANAGED_IDENTITY> with the Client ID you copied from the user-assigned managed identity in Step 1.

  4. Click OK to save the setting.

  5. Click Save at the top of the Configuration blade to apply the changes.

  6. The EmpowerID SCIM microservice will automatically detect and use the user-assigned managed identity when this connection string is configured.

Download the publish profile for the app service

  1. Navigate to the Overview page for the app service.
  2. Click Get publish profile and save the file to your machine. You use this file when publishing the EmpowerID EntraID SCIM microservice to Azure.