Configure your App Service app to use Azure Active Directory sign-in

Note

At this time, AAD V2 (including MSAL) is not supported for Azure App Service and Azure Functions.

This article shows you how to configure Azure App Service to use Azure Active Directory as an authentication provider.

It's recommended that you configure each App Service app with its own registration, so it has its own permissions and consent. Also, consider using separate app registrations for separate deployment slots. This avoids permission sharing between environments, so that an issue in new code you're testing does not affect production.

Configure with express settings

  1. In the Azure portal, navigate to your App Service app. In the left navigation, select Authentication / Authorization.

  2. If Authentication / Authorization is not enabled, select On.

  3. Select Azure Active Directory, and then select Express under Management Mode.

  4. Select OK to register the App Service app in Azure Active Directory. This creates a new app registration. If you want to choose an existing app registration instead, click Select an existing app and then search for the name of a previously created app registration within your tenant. Click the app registration to select it and click OK. Then click OK on the Azure Active Directory settings page. By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.

  5. (Optional) To restrict access to your app to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory. This requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.

    Note

    Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. For such applications, Allow anonymous requests (no action) may be preferred, with the app manually starting login itself, as described here.

  6. Click Save.

Configure with advanced settings

You can also provide configuration settings manually, if the Azure Active Directory tenant you want to use is different from the tenant with which you sign into Azure. To complete the configuration, you must first create a registration in Azure Active Directory, and then you must provide some of the registration details to App Service.

Create an app registration in Azure AD for your App Service app

When creating an app registration manually, note three pieces of information that you will need later when configuring your App Service app: the client ID, the tenant ID, and optionally the client secret and the application ID URI.

  1. In the Azure portal, navigate to your App Service app and note your app's URL. You will use it to configure your Azure Active Directory app registration.

  2. In the Azure portal, from the left menu, select Active Directory > App registrations > New registration.

  3. In the Register an application page, enter a Name for your app registration.

  4. In Redirect URI, select Web and type the URL of your App Service app and append the path /.auth/login/aad/callback. For example, https://contoso.azurewebsites.net/.auth/login/aad/callback. Then select Create.

  5. Once the app registration is created, copy the Application (client) ID and the Directory (tenant) ID for later.

  6. Select Branding. In Home page URL, type the URL of your App Service app and select Save.

  7. Select Expose an API > Set. Paste in the URL of your App Service app and select Save.

    Note

    This value is the Application ID URI of the app registration. If you want to have a front-end web app to access a back-end API, for example, and you want the back end to explicitly grant access to the front end, you need the Application ID URI of the front end when you configure the App Service app resource of the back end.

  8. Select Add a scope. In Scope name, type user_impersonation. In the text boxes, type the consent scope name and description you want users to see on the consent page, such as Access my app. When finished, click Add scope.

  9. (Optional) To create a client secret, select Certificates & secrets > New client secret > Add. Copy the client secret value shown in the page. Once you navigate away, it won't be shown again.

  10. (Optional) To add multiple Reply URLs, select Authentication in the menu.

Add Azure Active Directory information to your App Service app

  1. In the Azure portal, navigate to your App Service app. From the left menu, select Authentication / Authorization. If the Authentication/Authorization feature is not enabled, select On.

  2. (Optional) By default, App Service authentication allows unauthenticated access to your app. To enforce user authentication, set Action to take when request is not authenticated to Log in with Azure Active Directory.

  3. Under Authentication Providers, select Azure Active Directory.

  4. In Management mode, select Advanced and configure App Service authentication according to the following table:

    Field Description
    Client ID Use the Application (client) ID of the app registration.
    Issuer ID Use https://login.microsoftonline.com/<tenant-id>, and replace <tenant-id> with the Directory (tenant) ID of the app registration.
    Client Secret (Optional) Use the client secret you generated in the app registration.
    Allowed Token Audiences If this is a back-end app and you want to allow authentication tokens from a front-end app, add the Application ID URI of the front end here.

    Note

    The configured Client ID is always implicitly considered to be an allowed audience, regardless of how you configured the Allowed Token Audiences.

  5. Select OK, then select Save.

You are now ready to use Azure Active Directory for authentication in your App Service app.

Configure a native client application

You can register native clients if you wish to perform sign-ins using a client library such as the Active Directory Authentication Library.

  1. In the Azure portal, from the left menu, select Active Directory > App registrations > New registration.

  2. In the Register an application page, enter a Name for your app registration.

  3. In Redirect URI, select Public client (mobile & desktop) and type the URL of your App Service app and append the path /.auth/login/aad/callback. For example, https://contoso.azurewebsites.net/.auth/login/aad/callback. Then select Create.

    Note

    For a Windows application, use the package SID as the URI instead.

  4. Once the app registration is created, copy the value of Application (client) ID.

  5. From the left menu, select API permissions > Add a permission > My APIs.

  6. Select the app registration you created earlier for your App Service app. If you don't see the app registration, check that you've added the user_impersonation scope in Create an app registration in Azure AD for your App Service app.

  7. Select user_impersonation and click Add permissions.

You have now configured a native client application that can access your App Service app.