Azure Traffic Manager probe degraded due to 401 from Azure Web App


Your Azure Web App (or any Azure App Service) has authentication enabled but you want to use Traffic Manager.  Since the probe returns the HTTP status code 401, the endpoint is considered degraded.  This blog only applies to Azure App Service Authentication.  If you are using a third Party like Auth0 you need to provide a non-authenticated URL using a different method.


Whatever you use for an endpoint in Azure Traffic Manager, it must return a 200.  Your site is locked down so any request returns 401


Use URL Authorization rules with a special Route to allow the ping to succeed.  Note:  This is in preview, so there may be updates as this matures.

  1. Create a directory in your application and call it whatever you wish (for this sample I am using TMStatus).
  2. Put an html file in it and call it something like status.html.
  3. Next add URL Authorization Rule to disable authentication for that directory and ensure you place this json file it in the wwwroot directory.  See: URL Authorization Rules  In this case All routes will be RedirectedToLogin, however the /TMStatus route will allow anonymous requests.

Your json would look something like this:

  "routes": [{
      "path_prefix": "/",
      "policies": { "unauthenticated_action": "RedirectToLoginPage" }
      "path_prefix": "/TMStatus",
      "policies": { "unauthenticated_action": "AllowAnonymous" }

   4. Configure Authorization to Allow Anonymous requests in your Azure Portal:


This should restart your web app and pickup the changes, then point traffic manager to your app/TMStatus/status.html  (or whatever you choose to call these from above).

Now when the ping from traffic manager hits this endpoint, it will return a 200 instead of a 401.

Troubleshooting problems

URL Authorization Rules has a section that talks about using verbose application logging for troubleshooting enabling Application Logging.  If you do not see the logs common causes are that you did not restart the app or you did not select ‘Allow Anonymous requests (no action) as pictured above.