As part of verifying ownership of for example a custom domain, or setting up verification for an app registration, you will need to upload a .json file on your root domain during the verification process of Azure. In enterprise-like organizations this is not that evident, as often you’ll see teams responsible for the identity framework or just Azure in general are not involved in the website itself.
To work around this issue, I’m leveraging the static website functionality of Azure Storage Accounts and simple good ol’ DNS to make sure we don’t need to involve website administrators for Azure purposes. Here are our prerequisites:
- Azure Storage Account & at least Storage Account Contributor rights
- A way to create DNS records / forwarders for your root domain (or subdomains of that root domain)
In my previous post, I explained how to set up verified app registrations on multiple tenants with your MPN ID. One of the steps is to upload a json file:
Assuming we do not have root access to this web server and instead leverage an Azure Storage Account, combined with DNS, to take full ownership in updating this .json file every time we need verification.
Let’s start with the easy part, the storage account. Assuming you know how to set one up, all you need to do is head over to the resource and select Static website under Data management. Set it to Enabled and leave the index and error page empty (doesn’t really matter for our use case):
By enabling this feature, we’ll have a new blob container created call $web, under which we can create files. For those familiar with typical web servers, look at this container as your public_html friends from the past ;-).
Head over to Containers, choose the newly created $web container and click Upload:
Choose your previously downloaded .json file and click on Advanced, make sure under Upload to folder you enter .well-known and select Upload:
Let’s quickly test if we can reach the json file through our previously noted down URI:
Great! All that’s left now is to point a subdomain to forward requests (and mask the endpoint URI!) towards our blob static website, so we can complete our verification process.
Now, this next step heavily depends on which DNS provider you use. I’ve used Combell in the past, which allows web forwarding and “cloaking” of the URI. I’m currently using Cloudflare which has webforwarding under the Page Rules functionality. You can even go as far as setting up a custom domain for the storage account itself right in Azure.
My point is, it doesn’t matter what solution you use and who has full ownership. This provides a simple, cheap, yet effective way of maintaining full ownership over the verification processes attached to Azure, without having to ping back to your (possibly outsourced) website teams. Once your verification is completed, you can simply remove the .json file as well.
Hope this helps!
