Secure Azure WebJob API with Azure AD Authentication

Introduction

Before diving into the security aspect of Azure Webjobs, let's first try to understand what webjobs are.

If we want to define it in simple words, Azure Webjobs are Microsoft's PaaS solution to run background jobs. Basically, we can take them as direct replacement of Windows Service which we develop to run background jobs. They are part of Azure App Service and run in same instances as that of WebApps. We do not have to bear additional cost for the webjobs.

Similar to Windows Service, there are two types of Azure Webjobs:

1. Continues - As the name suggests, they will run continuously until we stop them forcefully
2. Triggered - They will not run until an external force starts them

Again, there are two types of Continuous Webjobs:

1. Multi Instance - These webjobs will run the program on all the instances of app service plan of Azure App service in which webjobs are hosted. By default, all Continuous webjobs are Multi Instance webjobs.
2. Single Instance - These webjobs will run the program only on one instance of app service plan of Azure App Service in which webjobs are hosted. 

Similarly, Triggered webjobs are also of two types based on how they triggered:

1. Scheduled Web jobs - These webjobs will start running the program at pre-defined time. But in case we require to trigger them beside their schedule time, we can do it by triggering manually by signing into Azure Portal or through Webhook URL
2. Manually Triggered Web Jobs - which we have to trigger manually by signing into Azure Portal or through Webhook URL

To know more about the webjobs, you can read this MSDN article.

What is Azure Webjobs Webhook URL?

Azure Webjobs Webhook are nothing but the location of Azure Webjobs in Azure SCM site for that App service in which webjobs are hosted postfixed by the operation we want to perform on the Azure Web jobs.

For example, we have an Azure Webjob named "CodeProjectWebJob" hosted in Azure App Service Named "CodeProjectAppService" and we want to trigger this webjob through HTTP call, then webhook URL would be:

For a continuous Webjob:

https://codeprojectappservice.scm.azurewebsites.net/api/continuouswebjobs/CodeProjectWebJob/run

Whereas for a triggered webjob:

https://codeprojectappservice.scm.azurewebsites.net/api/triggeredwebjobs/CodeProjectWebJob/run

Here, run is command to trigger the webjobs.

Apart from triggering webjobs, we can do operations like delete webjobs, get webjobs history and many more.  (for more information on this, visit here). This webhook URL is secured with the default credentials where username is $appservicename and password we can get from App service publish profile.

Secure Webhook API with Azure AD

We can also secure this webhook API with Azure AD authentication.  To enable Azure AD authentication for webhook API, we need to follow the below steps:

1. Register your App Service with Azure Active Directory
   1. Go to your app service and click on Authentication/Authorization in left panel.
   2. Enable App Service Authentication.
   3. Select "Log in with Azure Active Directory" in Action to take when request is not authenticated and click on Azure Active Directory box:

      

   4. In Management Mode, select Advanced.
   5. Provide Client Id and Issuer URL against which webhook should be authenticated and click OK and Save the settings.

      

2. Provide Contributor Access:
   1. Again, go to your app service and click on Access Control from left panel.
   2. Go to Role Assignments.
   3. Select Contributor role from the Role dropdown.
   4. Add your Azure AD application.

Now Webhook API for your webjob is secured with Azure AD authentication.

While generating Azure AD access token to invoke webjob, we need to make sure to provide https://management.core.windows.net as resource.

History

• 27^th June, 2020 - Initial draft