Enable App Service Authentication

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name (link) of the web application that you want to examine.

04 In the navigation panel, under Settings, select Authentication / Authorization to access the authentication configuration settings available for the selected application.

05 On the Authentication / Authorization panel, check the App Service Authentication configuration setting. If the setting status is Off, the Microsoft Azure App Service Authentication feature is not enabled for the selected web application.

06 Repeat steps no. 3 – 5 for each Azure App Service application deployed in the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created within your Microsoft Azure cloud account.

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested application identifiers (IDs):

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp auth show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the App Service Authentication feature status for the selected web application:

az webapp auth show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp"
	--query 'enabled'

04 The command output should return the App Service Authentication configuration status (true for enabled, false for disabled):

false

05 Repeat step no. 3 and 4 for each Azure App Service application available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right web app).

04 In the navigation panel, under Settings, select Authentication / Authorization to access the authentication configuration settings available for the selected application.

05 On the Authentication / Authorization panel, perform the following actions:

1. Select On under App Service Authentication configuration setting to enable the feature.
2. From Action to take when request is not authenticated dropdown list choose one of the following:
   • Select Allow Anonymous requests (no action) if you want more flexibility in handling anonymous requests as it lets you present multiple sign-in providers to your app users. This option defers authorization of unauthenticated user traffic to your web application code. To use this option, you have to write code.
   • Select Log in with <provider-name> to allow only authenticated requests. Microsoft Azure App Service redirects all anonymous requests to /.auth/login/<provider> for the provider that you choose. If the anonymous request comes from a native mobile application, the returned response is an HTTP 401 Unauthorized. To use this option, you don't have to write any authentication code for your web application.
3. If you choose to authenticate requests with an authentication provider, select the suitable provider from the Authentication Providers list and configure it by following the Microsoft Azure documentation for the selected provider. Azure App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow. The identity providers available by default are: Microsoft Entra ID, Microsoft Account, Google, Facebook and Twitter. Once you enable authentication and authorization with one of these providers, its sign-in endpoint is available for user authentication and for validation of authentication tokens from the specified provider.
4. Under Advanced Settings, select On next to Token Store to store the authentication tokens. Azure App Service Token Store is a repository of tokens that are associated with the users of your web applications, APIs, or native mobile apps. When you enable authentication with any of the providers listed at the previous step, the Token Store is immediately available to your application.
5. If required, paste the application redirect URL(s) in the Allowed External Redirect URLs box.
6. Click Save to apply the configuration changes.

06 Repeat steps no. 3 – 5 for each Azure App Service application that you want to reconfigure for secure authentication and authorization, available in the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

01 Run webapp auth update command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service web app that you want to reconfigure as identifier parameter (see Audit section part II to identify the right web app) to enable App Service Authentication feature for the selected web application. For example, the following command request enables App Service Authentication feature for a web application identified by the ID "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp", with authentication token storage enabled, using Google as authentication provider:

az webapp auth update
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp"
	--enabled true
	--action LoginWithGoogle
	--google-client-id "123456789012-abcd1234abcd1234abcd1234abcd1234.apps.googleusercontent.com"
	--google-client-secret "abcdabcdabcdabcdabcdabcd"
	--token-store true

02 The command output should return the metadata for reconfigured Azure App Service web application:

{
  "additionalLoginParams": null,
  "allowedAudiences": null,
  "allowedExternalRedirectUrls": null,
  "clientId": null,
  "clientSecret": null,
  "clientSecretCertificateThumbprint": null,
  "defaultProvider": "Google",
  "enabled": true,
  "facebookAppId": null,
  "facebookAppSecret": null,
  "facebookOauthScopes": null,
  "googleClientId": "123456789012-abcd1234abcd1234abcd1234abcd1234.apps.googleusercontent.com",
  "googleClientSecret": "abcdabcdabcdabcdabcdabcd",
  "googleOauthScopes": null,
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp/config/authsettings",
  "issuer": null,
  "kind": null,
  "location": "West Europe",
  "microsoftAccountClientId": null,
  "microsoftAccountClientSecret": null,
  "microsoftAccountOauthScopes": null,
  "name": "authsettings",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "runtimeVersion": "1.0.0",
  "tags": {},
  "tokenRefreshExtensionHours": null,
  "tokenStoreEnabled": true,
  "twitterConsumerKey": null,
  "twitterConsumerSecret": null,
  "type": "Microsoft.Web/sites/config",
  "unauthenticatedClientAction": "RedirectToLoginPage",
  "validateIssuer": null
}

03 Repeat step no. 1 and 2 for each Azure App Service application that you want to reconfigure for secure authentication and authorization, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.