This readme demonstrates how to deploy a Python Flask web application to Azure Cloud using Azure App Service. It is recommended that the code sample from Enable your Python Flask webapp to sign in users and call Microsoft Graph with the Microsoft identity platform is used for deployment. You may choose to follow these steps with a different sample or your own project.
- An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see How to get an Azure AD tenant
- A user account in your Azure AD tenant.
- Visual Studio Code is recommended for running and editing this sample.
- VS Code Azure Tools Extension extension is recommended for interacting with Azure through VS Code interface.
- An Azure subscription. This sample uses the free tier of Azure App Service.
Recommended, though not strictly necessary if not running the sample locally as well:
- Python 3.8
- A virtual environment to install packages in
Follow the setup instructions in Enable your Python Flask webapp to sign in users and call Microsoft Graph with the Microsoft identity platform sample or another Flask sample of your choosing from Microsoft Identity Flask Tutorial).
Use an Azure AD application registration and its matching sample that that you have completed previously. If you have not completed a sample yet, we recommend you proceed to complete Enable your Python Flask webapp to sign in users and call Microsoft Graph with the Microsoft identity platform sample and use the app registration from it.
In order to get your deployed app fully functional, you must:
- Prepare the web app for deployment.
- Deploy your project to Azure App Service and obtain a published website in the form of
https://example-domain.azurewebsites.net.
- Update your Azure AD App Registration's redirect URIs from the Azure Portal, in order to include the redirect URI of your deployed Flask application.
You may skip this step if you are doing a test deployment with a development Azure Active Directory App registration that does not have any sensitive data. It is not secure to deploy secrets in a config file to a production application. To deploy your app more securely, you must:
-
Supply a config file that omits secrets (i.e.,
aad.config.json
that sets"client_credential": null
) -
After you've deployed your app in the next sections, come back and add the secrets from a secure location such as:
-
Azure Vault. Use the Azure Key Vault Secret client library for Python. Set the client secret value in vault, naming it
CLIENT_SECRET
for example. Then set up the Azure key vault client in your app, and modify the last lines in the sample'sapp.py
file as follows and redeploy your app:secret_client = "...set up your Azure Key Vault Secret client library for Python here" app = create_app(secure_client_credential=secret_client.get_secret("CLIENT_SECRET"))
-
Environment Variables (Azure Portal > App Services >
Your App
> Configuration). You must set the value forCLIENT_SECRET
.Modify the last line in the sample'sapp.py
file as follows and then redeploy your app:app = create_app(secure_client_credential=os.environ.get("CLIENT_SECRET"))
-
-
If you are sure you want to continue, proceed to step 2.
This guide is for deploying to Azure App Service via VS Code Azure Tools Extension.
You may watch the first 3 minutes of this video tutorial offered by Microsoft Dev Radio to get a video walk through of app deployment with VS Code.
-
Follow the instructions in steps 1, 2, 3 and 5 in the official Microsoft docs Python deployment tutorial.
-
Work with the Enable your Python Flask webapp to sign in users and call Microsoft Graph with the Microsoft identity platform sample or your own chosen Flask sample instead of the sample listed in the tutorial.
-
Disable App Service's default authentication:
Navigate to the Azure App Service Portal and locate your project. Once you do, click on the Authentication/Authorization blade. There, make sure that the App Services Authentication is switched off (and nothing else is checked), as this sample is using MSAL for authentication.
- Navigate to the home page of your deployed app; take note of and copy the redirect_uri displayed on the home page.
- Navigate back to to the Azure Portal.
- In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations.
- In the resulting screen, select the name of your application.
- In the Authentication blade, paste the URI you copied earlier from your deployed app instance. If the app had multiple redirect URIs, make sure to add new corresponding entries using the App service's full domain in lieu of
127.0.0.1
for each redirect URI. Save the configuration. - From the Branding menu, update the Home page URL, to the address of your service, for example
https://example-domain.azurewebsites.net/
. Save the configuration. - You're done! Try navigating to the hosted app!
Were we successful in addressing your learning objective? Consider taking a moment to share your experience with us.
For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [azure-ad
azure-ad-b2c
ms-identity
msal
].
If you find a bug in the sample, please raise the issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.