How to configure app service identity provider?

Question

What is the difference among alternatives in the section

Client application requirement

• Allow requests only from this application itself
• Allow requests from specific client applications
• Allow requests from any application (Not recommended)

and Identity requirement

• Allow requests from any identity
• Allow requests from specific identities

Answer 1

Hi @Ernesto

When you are configuring an app service identity provider, you're essentially creating the app registration that will be used in your directory tenant. From that aspect:

1. Allow requests only from this application itself: This option restricts requests to only the application itself. It is useful when you want to limit access to the app service to only the application itself.
2. Allow requests from specific client applications: This option allows requests from specific client applications. You can specify the client applications by their client IDs. This option is useful when you want to limit access to the app service to specific client applications.
3. Allow requests from any application (Not recommended): This option allows requests from any application. However, it is not recommended as it can pose a security risk.
4. Allow requests from any identity: This option allows requests from any identity. It is useful when you want to allow access to the app service to any identity.
5. Allow requests from specific identities: This option allows requests from specific identities. You can specify the identities by their object IDs. This option is useful when you want to limit access to the app service to specific identities.

The table under Configure Microsoft Entra authentication - Use built-in authorization policy - Azure App Service | Microsoft Learn further elaborates on these configurations, where allowedApplications refers to Client application requirement and allowedPrincipals refers to Identity requirement.