Configure your App Service app to use Azure AD login

This article shows you how to configure Azure App Service to use Azure Active Directory (Azure AD) as an authentication provider.

Note

At this time, Azure App Service and Azure Functions are only supported by Azure AD v1.0. They're not supported by the Microsoft identity platform v2.0, which includes Microsoft Authentication Libraries (MSAL).

Follow these best practices when setting up your app and authentication:

  • Give each App Service app its own permissions and consent.
  • Configure each App Service app with its own registration.
  • Avoid permission sharing between environments by using separate app registrations for separate deployment slots. When testing new code, this practice can help prevent issues from affecting the production app.

Configure with express settings

  1. In the Azure portal, go to your App Service app.

  2. Select Settings > Authentication / Authorization in the left pane, and make sure that App Service Authentication is On.

  3. Select Azure Active Directory, and then select Express under Management Mode.

  4. Select OK to register the App Service app in Azure Active Directory. A new app registration is created.

    If you want to choose an existing app registration instead:

    1. Choose Select an existing app and then search for the name of a previously created app registration within your tenant.
    2. Select the app registration and then select OK.
    3. Then select OK on the Azure Active Directory settings page.

    By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code.

  5. (Optional) To restrict app access only to users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated to Azure Active Directory for authentication.

    Caution

    Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, Allow anonymous requests (no action) might be preferred, with the app manually starting login itself. For more information, see Authentication flow.

  6. Select Save.

Configure with advanced settings

You can configure app settings manually if you want to use an Azure AD tenant that's different from the one you use to sign in to Azure. To complete this custom configuration, you'll need to:

  1. Create a registration in Azure AD.
  2. Provide some of the registration details to App Service.

Create an app registration in Azure AD for your App Service app

You'll need the following information when you configure your App Service app:

  • Client ID
  • Tenant ID
  • Client secret (optional)
  • Application ID URI

Perform the following steps:

  1. Sign in to the Azure portal and go to your App Service app. Note your app's URL. You'll use it to configure your Azure Active Directory app registration.

  2. Select Azure Active Directory > App registrations > New registration.

  3. In the Register an application page, enter a Name for your app registration.

  4. In Redirect URI, select Web and enter the URL of your App Service app and append the path /.auth/login/aad/callback. For example, https://contoso.azurewebsites.net/.auth/login/aad/callback.

  5. Select Create.

  6. After the app registration is created, copy the Application (client) ID and the Directory (tenant) ID for later.

  7. Select Branding. In Home page URL, enter the URL of your App Service app and select Save.

  8. Select Expose an API > Set. Paste in the URL of your App Service app and select Save.

    Note

    This value is the Application ID URI of the app registration. If your web app requires access to an API in the cloud, you need the Application ID URI of the web app when you configure the cloud App Service resource. You can use this, for example, if you want the cloud service to explicitly grant access to the web app.

  9. Select Add a scope.

    1. In Scope name, enter user_impersonation.
    2. In the text boxes, enter the consent scope name and description you want users to see on the consent page. For example, enter Access my app.
    3. Select Add scope.
  10. (Optional) To create a client secret, select Certificates & secrets > New client secret > Add. Copy the client secret value shown in the page. It won't be shown again.

  11. (Optional) To add multiple Reply URLs, select Authentication.

Add Azure Active Directory information to your App Service app

  1. In the Azure portal, go to your App Service app.

  2. Select Settings > Authentication / Authorization in the left pane, and make sure that App Service Authentication is On.

  3. (Optional) By default, App Service authentication allows unauthenticated access to your app. To enforce user authentication, set Action to take when request is not authenticated to Log in with Azure Active Directory.

  4. Under Authentication Providers, select Azure Active Directory.

  5. In Management mode, select Advanced and configure App Service authentication according to the following table:

    Field Description
    Client ID Use the Application (client) ID of the app registration.
    Issuer ID Use https://login.microsoftonline.com/<tenant-id>, and replace <tenant-id> with the Directory (tenant) ID of the app registration.
    Client Secret (Optional) Use the client secret you generated in the app registration.
    Allowed Token Audiences If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here.

    Note

    The configured Client ID is always implicitly considered to be an allowed audience, regardless of how you configured the Allowed Token Audiences.

  6. Select OK, and then select Save.

You're now ready to use Azure Active Directory for authentication in your App Service app.

Configure a native client application

You can register native clients to allow authentication using a client library such as the Active Directory Authentication Library.

  1. In the Azure portal, select Active Directory > App registrations > New registration.

  2. In the Register an application page, enter a Name for your app registration.

  3. In Redirect URI, select Public client (mobile & desktop) and enter the URL of your App Service app and append the path /.auth/login/aad/callback. For example, https://contoso.azurewebsites.net/.auth/login/aad/callback.

  4. Select Create.

    Note

    For a Windows application, use the package SID as the URI instead.

  5. After the app registration is created, copy the value of Application (client) ID.

  6. Select API permissions > Add a permission > My APIs.

  7. Select the app registration you created earlier for your App Service app. If you don't see the app registration, make sure that you've added the user_impersonation scope in Create an app registration in Azure AD for your App Service app.

  8. Select user_impersonation, and then select Add permissions.

You have now configured a native client application that can access your App Service app.

Next steps