Environment variables and app settings in Azure App Service

In Azure App Service, certain settings are available to the deployment or runtime environment as environment variables. Some of these settings can be customized when you set them manually as app settings. This reference shows the variables you can use or customize.

App environment

The following environment variables are related to the app environment in general.

Setting name Description Example
WEBSITE_SITE_NAME Read-only. App name.
WEBSITE_RESOURCE_GROUP Read-only. Azure resource group name that contains the app resource.
WEBSITE_OWNER_NAME Read-only. Contains the Azure subscription ID that owns the app, the resource group, and the webspace.
REGION_NAME Read-only. Region name of the app.
WEBSITE_PLATFORM_VERSION Read-only. App Service platform version.
HOME Read-only. Path to the home directory (for example, D:\home for Windows).
SERVER_PORT Read-only. The port the app should listen to.
WEBSITE_WARMUP_PATH A relative path to ping to warm up the app, beginning with a slash. The default is /, which pings the root path. The specific path can be pinged by an unauthenticated client, such as Azure Traffic Manager, even if App Service authentication is set to reject unauthenticated clients. (NOTE: This app setting does not change the path used by AlwaysOn.)
WEBSITE_COMPUTE_MODE Read-only. Specifies whether app runs on dedicated (Dedicated) or shared (Shared) VM/s.
WEBSITE_SKU Read-only. SKU of the app. Possible values are Free, Shared, Basic, and Standard.
SITE_BITNESS Read-only. Shows whether the app is 32-bit (x86) or 64-bit (AMD64).
WEBSITE_HOSTNAME Read-only. Primary hostname for the app. Custom hostnames are not accounted for here.
WEBSITE_VOLUME_TYPE Read-only. Shows the storage volume type currently in use.
WEBSITE_NPM_DEFAULT_VERSION Default npm version the app is using.
WEBSOCKET_CONCURRENT_REQUEST_LIMIT Read-only. Limit for websocket's concurrent requests. For Standard tier and above, the value is -1, but there's still a per VM limit based on your VM size (see Cross VM Numerical Limits).
WEBSITE_PRIVATE_EXTENSIONS Set to 0 to disable the use of private site extensions.
WEBSITE_TIME_ZONE By default, the time zone for the app is always UTC. You can change it to any of the valid values that are listed in TimeZone. If the specified value isn't recognized, UTC is used. Atlantic Standard Time
WEBSITE_ADD_SITENAME_BINDINGS_IN_APPHOST_CONFIG In the case of a storage volume failover or reconfiguration, your app is switched over to a standby storage volume. The default setting of 1 prevents your worker process from recycling when the storage infrastructure changes. If you are running a Windows Communication Foundation (WCF) app, disable it by setting it to 0. The setting is slot-specific, so you should set it in all slots.
WEBSITE_PROACTIVE_AUTOHEAL_ENABLED By default, a VM instance is proactively "autohealed" when it's using more than 90% of allocated memory for more than 30 seconds, or when 80% of the total requests in the last two minutes take longer than 200 seconds. If a VN instance has triggered one of these rules, the recovery process is an overlapping restart of the instance. Set to false to disable this recovery behavior. The default is true. For more information, see Proactive Auto Heal.
WEBSITE_PROACTIVE_CRASHMONITORING_ENABLED Whenever the w3wp.exe process on a VM instance of your app crashes due to an unhandled exception for more than three times in 24 hours, a debugger process is attached to the main worker process on that instance, and collects a memory dump when the worker process crashes again. This memory dump is then analyzed and the call stack of the thread that caused the crash is logged in your App Service’s logs. Set to false to disable this automatic monitoring behavior. The default is true. For more information, see Proactive Crash Monitoring.
WEBSITE_DAAS_STORAGE_SASURI During crash monitoring (proactive or manual), the memory dumps are deleted by default. To save the memory dumps to a storage blob container, specify the SAS URI.
WEBSITE_CRASHMONITORING_ENABLED Set to true to enable crash monitoring manually. You must also set WEBSITE_DAAS_STORAGE_SASURI and WEBSITE_CRASHMONITORING_SETTINGS. The default is false. This setting has no effect if remote debugging is enabled. Also, if this setting is set to true, proactive crash monitoring is disabled.
WEBSITE_CRASHMONITORING_SETTINGS A JSON with the following format:{"StartTimeUtc": "2020-02-10T08:21","MaxHours": "<elapsed-hours-from-StartTimeUtc>","MaxDumpCount": "<max-number-of-crash-dumps>"}. Required to configure crash monitoring if WEBSITE_CRASHMONITORING_ENABLED is specified. To only log the call stack without saving the crash dump in the storage account, add ,"UseStorageAccount":"false" in the JSON.
REMOTEDEBUGGINGVERSION Remote debugging version.
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING By default, App Service creates a shared storage for you at app creation. To use a custom storage account instead, set to the connection string of your storage account. For functions, see App settings reference for Functions. DefaultEndpointsProtocol=https;AccountName=<name>;AccountKey=<key>
WEBSITE_CONTENTSHARE When you use specify a custom storage account with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, App Service creates a file share in that storage account for your app. To use a custom name, set this variable to the name you want. If a file share with the specified name doesn't exist, App Service creates it for you. myapp123
WEBSITE_SCM_ALWAYS_ON_ENABLED Read-only. Shows whether Always On is enabled (1) or not (0).
WEBSITE_SCM_SEPARATE_STATUS Read-only. Shows whether the Kudu app is running in a separate process (1) or not (0).

Variable prefixes

The following table shows environment variables prefixes that App Service uses for various purposes.

Setting name Description
APPSETTING_ Signifies that a variable is set by the customer as an app setting in the app configuration. It's injected into a .NET app as an app setting.
MAINSITE_ Signifies a variable is specific to the app itself.
SCMSITE_ Signifies a variable is specific to the Kudu app.
SQLCONNSTR_ Signifies a SQL Server connection string in the app configuration. It's injected into a .NET app as a connection string.
SQLAZURECONNSTR_ Signifies an Azure SQL Database connection string in the app configuration. It's injected into a .NET app as a connection string.
POSTGRESQLCONNSTR_ Signifies a PostgreSQL connection string in the app configuration. It's injected into a .NET app as a connection string.
CUSTOMCONNSTR_ Signifies a custom connection string in the app configuration. It's injected into a .NET app as a connection string.
MYSQLCONNSTR_ Signifies an Azure SQL Database connection string in the app configuration. It's injected into a .NET app as a connection string.
AZUREFILESSTORAGE_ A connection string to a custom share for a container app in Azure Files.
AZUREBLOBSTORAGE_ A connection string to a custom storage account for a container app in Azure Blob Storage.
NOTIFICATIONHUBCONNSTR_ Signifies a connection string to a notification hub in Azure Notification Hubs.
SERVICEBUSCONNSTR_ Signifies a connection string to an instance of Azure Service Bus.
EVENTHUBCONNSTR_ Signifies a connection string to an event hub in Azure Event Hubs.
DOCDBCONNSTR_ Signifies a connection string to a database in Azure Cosmos DB.
REDISCACHECONNSTR_ Signifies a connection string to a cache in Azure Cache for Redis.
FILESHARESTORAGE_ Signifies a connection string to a custom file share.

Deployment

The following environment variables are related to app deployment. For variables related to App Service build automation, see Build automation.

Setting name Description
DEPLOYMENT_BRANCH For local Git or cloud Git deployment (such as GitHub), set to the branch in Azure you want to deploy to. By default, it is master.
WEBSITE_RUN_FROM_PACKAGE Set to 1 to run the app from a local ZIP package, or set to the URL of an external URL to run the app from a remote ZIP package. For more information, see Run your app in Azure App Service directly from a ZIP package.
WEBSITE_USE_ZIP Deprecated. Use WEBSITE_RUN_FROM_PACKAGE.
WEBSITE_RUN_FROM_ZIP Deprecated. Use WEBSITE_RUN_FROM_PACKAGE.
WEBSITE_WEBDEPLOY_USE_SCM Set to false for WebDeploy to stop using the Kudu deployment engine. The default is true. To deploy to Linux apps using Visual Studio (WebDeploy/MSDeploy), set it to false.
MSDEPLOY_RENAME_LOCKED_FILES Set to 1 to attempt to rename DLLs if they can't be copied during a WebDeploy deployment. This setting is not applicable if WEBSITE_WEBDEPLOY_USE_SCM is set to false.
WEBSITE_DISABLE_SCM_SEPARATION By default, the main app and the Kudu app run in different sandboxes. When you stop the app, the Kudu app is still running, and you can continue to use Git deploy and MSDeploy. Each app has its own local files. Turning off this separation (setting to true) is a legacy mode that's no longer fully supported.
WEBSITE_ENABLE_SYNC_UPDATE_SITE Set to 1 ensure that REST API calls to update site and siteconfig are completely applied to all instances before returning. The default is 1 if deploying with an ARM template, to avoid race conditions with subsequent ARM calls.
WEBSITE_START_SCM_ON_SITE_CREATION In an ARM template deployment, set to 1 in the ARM template to pre-start the Kudu app as part of app creation.
WEBSITE_START_SCM_WITH_PRELOAD For Linux apps, set to true to force preloading the Kudu app when Always On is enabled by pinging its URL. The default is false. For Windows apps, the Kudu app is always preloaded.

Build automation

Kudu build configuration applies to native Windows apps and is used to control the behavior of Git-based (or ZIP-based) deployments.

Setting name Description Example
SCM_BUILD_ARGS Add things at the end of the msbuild command line, such that it overrides any previous parts of the default command line. To do a clean build: -t:Clean;Compile
SCM_SCRIPT_GENERATOR_ARGS Kudu uses the azure site deploymentscript command described here to generate a deployment script. It automatically detects the language framework type and determines the parameters to pass to the command. This setting overrides the automatically generated parameters. To treat your repository as plain content files: --basic -p <folder-to-deploy>
SCM_TRACE_LEVEL Build trace level. The default is 1. Set to higher values, up to 4, for more tracing. 4
SCM_COMMAND_IDLE_TIMEOUT Time-out in seconds for each command that the build process launches to wait before without producing any output. After that, the command is considered idle and killed. The default is 60 (one minute). In Azure, there's also a general idle request timeout that disconnects clients after 230 seconds. However, the command will still continue running server-side after that.
SCM_LOGSTREAM_TIMEOUT Time-out of inactivity in seconds before stopping log streaming. The default is 1800 (30 minutes).
SCM_SITEEXTENSIONS_FEED_URL URL of the site extensions gallery. The default is https://www.nuget.org/api/v2/. The URL of the old feed is http://www.siteextensions.net/api/v2/.
SCM_USE_LIBGIT2SHARP_REPOSITORY Set to 0 to use git.exe instead of libgit2sharp for git operations.
WEBSITE_LOAD_USER_PROFILE In case of the error The specified user does not have a valid profile. during ASP.NET build automation (such as during Git deployment), set this variable to 1 to load a full user profile in the build environment. This setting is only applicable when WEBSITE_COMPUTE_MODE is Dedicated.
WEBSITE_SCM_IDLE_TIMEOUT_IN_MINUTES Time-out in minutes for the SCM (Kudu) site. The default is 20.
SCM_DO_BUILD_DURING_DEPLOYMENT With ZIP deploy, the deployment engine assumes that a ZIP file is ready to run as-is and doesn't run any build automation. To enable the same build automation as in Git deploy, set to true.

Language-specific settings

This section shows the configurable runtime settings for each supported language framework. Additional settings are available during build automation at deployment time.

Setting name Description
PORT Read-only. For Linux apps, port that the .NET runtime listens to in the container.
WEBSITE_ROLE_INSTANCE_ID Read-only. ID of the current instance.
HOME Read-only. Directory that points to shared storage (/home).
DUMP_DIR Read-only. Directory for the crash dumps (/home/logs/dumps).
APP_SVC_RUN_FROM_COPY Linux apps only. By default, the app is run from /home/site/wwwroot, a shared directory for all scaled-out instances. Set this variable to true to copy the app to a local directory in your container and run it from there. When using this option, be sure not to hard-code any reference to /home/site/wwwroot. Instead, use a path relative to /home/site/wwwroot.
MACHINEKEY_Decryption For Windows native apps or Windows container apps, this variable is injected into app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the default decryption value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.
MACHINEKEY_DecryptionKey For Windows native apps or Windows container apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the automatically generated decryptionKey value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.
MACHINEKEY_Validation For Windows native apps or Windows container apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the default validation value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.
MACHINEKEY_ValidationKey For Windows native apps or Windows container apps, this variable is injected into the app environment or container to enable ASP.NET cryptographic routines (see machineKey Element. To override the automatically generated validationKey value, configure it as an App Service app setting, or set it directly in the machineKey element of the Web.config file.

Domain and DNS

Setting name Description Example
WEBSITE_DNS_SERVER IP address of primary DNS server for outgoing connections (such as to a back-end service). The default DNS server for App Service is Azure DNS, whose IP address is 168.63.129.16. If your app uses VNet integration or is in an App Service environment, it inherits the DNS server configuration from the VNet by default. 10.0.0.1
WEBSITE_DNS_ALT_SERVER IP address of fallback DNS server for outgoing connections. See WEBSITE_DNS_SERVER.

TLS/SSL

For more information, see Use a TLS/SSL certificate in your code in Azure App Service.

Setting name Description
WEBSITE_LOAD_CERTIFICATES Comma-separate thumbprint values to the certificate you want to load in your code, or * to allow all certificates to be loaded in code. Only certificates added to your app can be loaded.
WEBSITE_PRIVATE_CERTS_PATH Read-only. Path in a Windows container to the loaded private certificates.
WEBSITE_PUBLIC_CERTS_PATH Read-only. Path in a Windows container to the loaded public certificates.
WEBSITE_INTERMEDIATE_CERTS_PATH Read-only. Path in a Windows container to the loaded intermediate certificates.
WEBSITE_ROOT_CERTS_PATH Read-only. Path in a Windows container to the loaded root certificates.

Deployment slots

For more information on deployment slots, see Set up staging environments in Azure App Service.

Setting name Description Example
WEBSITE_SLOT_NAME Read-only. Name of the current deployment slot. The name of the production slot is Production.
WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS By default, the versions for site extensions are specific to each slot. This prevents unanticipated application behavior due to changing extension versions after a swap. If you want the extension versions to swap as well, set to 1 on all slots.
WEBSITE_OVERRIDE_PRESERVE_DEFAULT_STICKY_SLOT_SETTINGS Designates certain settings as sticky or not swappable by default. Default is true. Set this setting to false or 0 for all deployment slots to make them swappable instead. There's no fine-grain control for specific setting types.
WEBSITE_SWAP_WARMUP_PING_PATH Path to ping to warm up the target slot in a swap, beginning with a slash. The default is /, which pings the root path. /statuscheck
WEBSITE_SWAP_WARMUP_PING_STATUSES Valid HTTP response codes for the warm-up operation during a swap. If the returned status code isn't in the list, the warmup and swap operations are stopped. By default, all response codes are valid. 200,202
WEBSITE_SLOT_NUMBER_OF_TIMEOUTS_BEFORE_RESTART During a slot swap, maximum number of timeouts after which we force restart the site on a specific VM instance. The default is 3.
WEBSITE_SLOT_MAX_NUMBER_OF_TIMEOUTS During a slot swap, maximum number of timeout requests for a single URL to make before giving up. The default is 5.
WEBSITE_SKIP_ALL_BINDINGS_IN_APPHOST_CONFIG Set to true or 1 to skip all bindings in applicationHost.config. The default is false. If your app triggers a restart because applicationHost.config is updated with the swapped hostnames of th slots, set this variable to true to avoid a restart of this kind. If you are running a Windows Communication Foundation (WCF) app, do not set this variable.

Custom containers

For more information on custom containers, see Run a custom container in Azure.

Setting name Description Example
WEBSITES_ENABLE_APP_SERVICE_STORAGE Set to true to enable the /home directory to be shared across scaled instances. The default is false for custom containers.
WEBSITES_CONTAINER_START_TIME_LIMIT Amount of time in seconds to wait for the container to complete start-up before restarting the container. Default is 230. You can increase it up to the maximum of 1800.
DOCKER_REGISTRY_SERVER_URL URL of the registry server, when running a custom container in App Service. For security, this variable is not passed on to the container. https://<server-name>.azurecr.io
DOCKER_REGISTRY_SERVER_USERNAME Username to authenticate with the registry server at DOCKER_REGISTRY_SERVER_URL. For security, this variable is not passed on to the container.
DOCKER_REGISTRY_SERVER_PASSWORD Password to authenticate with the registry server at DOCKER_REGISTRY_SERVER_URL. For security, this variable is not passed on to the container.
WEBSITES_WEB_CONTAINER_NAME In a Docker Compose app, only one of the containers can be internet accessible. Set to the name of the container defined in the configuration file to override the default container selection. By default, the internet accessible container is the first container to define port 80 or 8080, or, when no such container is found, the first container defined in the configuration file.
WEBSITES_PORT For a custom container, the custom port number on the container for App Service to route requests to. By default, App Service attempts automatic port detection of ports 80 and 8080. This setting is not injected into the container as an environment variable.
WEBSITE_CPU_CORES_LIMIT By default, a Windows container runs with all available cores for your chosen pricing tier. To reduce the number of cores, set to the number of desired cores limit. For more information, see Customize the number of compute cores.
WEBSITE_MEMORY_LIMIT_MB By default all Windows Containers deployed in Azure App Service are limited to 1 GB RAM. Set to the desired memory limit in MB. The cumulative total of this setting across apps in the same plan must not exceed the amount allowed by the chosen pricing tier. For more information, see Customize container memory.
CONTAINER_WINRM_ENABLED For a Windows container app, set to 1 to enable Windows Remote Management (WIN-RM).

Scaling

Setting name Description
WEBSITE_INSTANCE_ID Read-only. Unique ID of the current VM instance, when the app is scaled out to multiple instances.
WEBSITE_IIS_SITE_NAME Deprecated. Use WEBSITE_INSTANCE_ID.
WEBSITE_DISABLE_OVERLAPPED_RECYCLING Overlapped recycling makes it so that before the current VM instance of an app is shut down, a new VM instance starts. In some cases, it can cause file locking issues. You can try turning it off by setting to 1.
WEBSITE_DISABLE_CROSS_STAMP_SCALE By default, apps are allowed to scale across stamps if they use Azure Files or a Docker container. Set to 1 or true to disable cross-stamp scaling within the app's region. The default is 0. Custom Docker containers that set WEBSITES_ENABLE_APP_SERVICE_STORAGE to true or 1 cannot scale cross-stamps because their content is not completely encapsulated in the Docker container.

Logging

Setting name Description Example
WEBSITE_HTTPLOGGING_ENABLED Read-only. Shows whether the web server logging for Windows native apps is enabled (1) or not (0).
WEBSITE_HTTPLOGGING_RETENTION_DAYS Retention period in days of web server logs for Windows native apps, if web server logs are enabled. 10
WEBSITE_HTTPLOGGING_CONTAINER_URL SAS URL of the blob storage container to store web server logs for Windows native apps, if web server logs are enabled. If not set, web server logs are stored in the app's file system (default shared storage).
DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS Retention period in days of application logs for Windows native apps, if application logs are enabled. 10
DIAGNOSTICS_AZUREBLOBCONTAINERSASURL SAS URL of the blob storage container to store application logs for Windows native apps, if application logs are enabled.
APPSERVICEAPPLOGS_TRACE_LEVEL Minimum log level to ship to Log Analytics for the AppServiceAppLogs log type.
DIAGNOSTICS_LASTRESORTFILE The filename to create, or a relative path to the log directory, for logging internal errors for troubleshooting the listener. The default is logging-errors.txt.
DIAGNOSTICS_LOGGINGSETTINGSFILE Path to the log settings file, relative to D:\home or /home. The default is site\diagnostics\settings.json.
DIAGNOSTICS_TEXTTRACELOGDIRECTORY The log folder, relative to the app root (D:\home\site\wwwroot or /home/site/wwwroot). ..\..\LogFiles\Application
DIAGNOSTICS_TEXTTRACEMAXLOGFILESIZEBYTES Maximum size of the log file in bytes. The default is 131072 (128 KB).
DIAGNOSTICS_TEXTTRACEMAXLOGFOLDERSIZEBYTES Maximum size of the log folder in bytes. The default is 1048576 (1 MB).
DIAGNOSTICS_TEXTTRACEMAXNUMLOGFILES Maximum number of log files to keep. The default is 20.
DIAGNOSTICS_TEXTTRACETURNOFFPERIOD Time-out in milliseconds to keep application logging enabled. The default is 43200000 (12 hours).
WEBSITE_LOG_BUFFERING By default, log buffering is enabled. Set to 0 to disable it.
WEBSITE_ENABLE_PERF_MODE For native Windows apps, set to TRUE to turn off IIS log entries for successful requests returned within 10 seconds. This is a quick way to do performance benchmarking by removing extended logging.

Performance counters

The following are 'fake' environment variables that don't exist if you enumerate them, but return their value if you look them up individually. The value is dynamic and can change on every lookup.

Setting name Description
WEBSITE_COUNTERS_ASPNET A JSON object containing the ASP.NET perf counters.
WEBSITE_COUNTERS_APP A JSON object containing sandbox counters.
WEBSITE_COUNTERS_CLR A JSON object containing CLR counters.
WEBSITE_COUNTERS_ALL A JSON object containing the combination of the other three variables.

Caching

Setting name Description
WEBSITE_LOCAL_CACHE_OPTION Whether local cache is enabled. Available options are:
- Default: Inherit the stamp-level global setting.
- Always: Enable for the app.
- OnStorageUnavailability
- Disabled: Disabled for the app.
WEBSITE_LOCAL_CACHE_READWRITE_OPTION Read-write options of the local cache. Available options are:
- ReadOnly: Cache is read-only.
- WriteWithCopyBack: Allow writes to local cache and copy periodically to shared storage. Applicable only for single instance apps as the SCM site points to local cache.
- WriteButDiscardChanges: Allow writes to local cache but discard changes made locally.
WEBSITE_LOCAL_CACHE_SIZEINMB Size of the local cache in MB. Default is 1000 (1 GB).
WEBSITE_LOCALCACHE_READY Read-only flag indicating if the app using local cache.
WEBSITE_DYNAMIC_CACHE Due to network file shared nature to allow access for multiple instances, the dynamic cache improves performance by caching the recently accessed files locally on an instance. Cache is invalidated when file is modified. The cache location is %SYSTEMDRIVE%\local\DynamicCache (same %SYSTEMDRIVE%\local quota is applied). By default, full content caching is enabled (set to 1), which includes both file content and directory/file metadata (timestamps, size, directory content). To conserve local disk use, set to 2 to cache only directory/file metadata (timestamps, size, directory content). To turn off caching, set to 0.
WEBSITE_READONLY_APP When using dynamic cache, you can disable write access to the app root (D:\home\site\wwwroot or /home/site/wwwroot) by setting this variable to 1. Except for the App_Data directory, no exclusive locks are allowed, so that deployments don't get blocked by locked files.

Networking

The following environment variables are related to hybrid connections and VNET integration.

Setting name Description
WEBSITE_RELAYS Read-only. Data needed to configure the Hybrid Connection, including endpoints and service bus data.
WEBSITE_REWRITE_TABLE Read-only. Used at runtime to do the lookups and rewrite connections appropriately.
WEBSITE_VNET_ROUTE_ALL By default, if you use regional VNet Integration, your app only routes RFC1918 traffic into your VNet. Set to 1 to route all outbound traffic into your VNet and be subject to the same NSGs and UDRs. The setting lets you access non-RFC1918 endpoints through your VNet, secure all outbound traffic leaving your app, and force tunnel all outbound traffic to a network appliance of your own choosing.
WEBSITE_PRIVATE_IP Read-only. IP address associated with the app when integrated with a VNet. For Regional VNet Integration, the value is an IP from the address range of the delegated subnet, and for Gateway-required VNet Integration, the value is an IP from the address range of the point-to-site address pool configured on the Virtual Network Gateway. This IP is used by the app to connect to the resources through the VNet. Also, it can change within the described address range.
WEBSITE_PRIVATE_PORTS Read-only. In VNet integration, shows which ports are useable by the app to communicate with other nodes.

Key vault references

The following environment variables are related to key vault references.

Setting name Description
WEBSITE_KEYVAULT_REFERENCES Read-only. Contains information (including statuses) for all Key Vault references that are currently configured in the app.
WEBSITE_SKIP_CONTENTSHARE_VALIDATION If you set the shared storage connection of your app (using WEBSITE_CONTENTAZUREFILECONNECTIONSTRING) to a Key Vault reference, the app cannot resolve the key vault reference at app creation or update if one of the following conditions is true:
- The app accesses the key vault with a system-assigned identity.
- The app accesses the key vault with a user-assigned identity, and the key vault is locked with a VNet.
To avoid errors at create or update time, set this variable to 1.
WEBSITE_DELAY_CERT_DELETION This env var can be set to 1 by users in order to ensure that a certificate that a worker process is dependent upon is not deleted until it exits.

CORS

The following environment variables are related to Cross-Origin Resource Sharing (CORS) configuration.

Setting name Description
WEBSITE_CORS_ALLOWED_ORIGINS Read-only. Shows the allowed origins for CORS.
WEBSITE_CORS_SUPPORT_CREDENTIALS Read-only. Shows whether setting the Access-Control-Allow-Credentials header to true is enabled (True) or not (False).

Authentication & Authorization

The following environment variables are related to App Service authentication.

Setting name Description
WEBSITE_AUTH_DISABLE_IDENTITY_FLOW When set to true, disables assigning the thread principal identity in ASP.NET-based web applications (including v1 Function Apps). This is designed to allow developers to protect access to their site with auth, but still have it use a separate login mechanism within their app logic. The default is false.
WEBSITE_AUTH_HIDE_DEPRECATED_SID true or false. The default value is false. This is a setting for the legacy Azure Mobile Apps integration for Azure App Service. Setting this to true resolves an issue where the SID (security ID) generated for authenticated users might change if the user changes their profile information. Changing this value may result in existing Azure Mobile Apps user IDs changing. Most apps do not need to use this setting.
WEBSITE_AUTH_NONCE_DURATION A timespan value in the form _hours_:_minutes_:_seconds_. The default value is 00:05:00, or 5 minutes. This setting controls the lifetime of the cryptographic nonce generated for all browser-driven logins. If a login fails to complete in the specified time, the login flow will be retried automatically. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.nonce.nonceExpirationInterval configuration value.
WEBSITE_AUTH_PRESERVE_URL_FRAGMENT When set to true and users click on app links that contain URL fragments, the login process will ensure that the URL fragment part of your URL does not get lost in the login redirect process. For more information, see Customize sign-in and sign-out in Azure App Service authentication.
WEBSITE_AUTH_USE_LEGACY_CLAIMS To maintain backward compatibility across upgrades, the authentication module uses the legacy claims mapping of short to long names in the /.auth/me API, so certain mappings are excluded (e.g. "roles"). To get the more modern version of the claims mappings, set this variable to False. In the "roles" example, it would be mapped to the long claim name "http://schemas.microsoft.com/ws/2008/06/identity/claims/role".
WEBSITE_AUTH_DISABLE_WWWAUTHENTICATE true or false. The default value is false. When set to true, removes the WWW-Authenticate HTTP response header from module-generated HTTP 401 responses. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the identityProviders.azureActiveDirectory.login.disableWwwAuthenticate configuration value.
WEBSITE_AUTH_STATE_DIRECTORY A local file system directory path where tokens are stored when the file-based token store is enabled. The default value is %HOME%\Data\.auth. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.tokenStore.fileSystem.directory configuration value.
WEBSITE_AUTH_TOKEN_CONTAINER_SASURL A fully qualified blob container URL. Instructs the auth module to store and load all encrypted tokens to the specified blob storage container instead of using the default local file system.
WEBSITE_AUTH_TOKEN_REFRESH_HOURS Any positive decimal number. The default value is 72 (hours). This setting controls the amount of time after a session token expires that the /.auth/refresh API can be used to refresh it. It's intended primarily for use with Azure Mobile Apps, which rely on session tokens. Refresh attempts after this period will fail and end users will be required to sign-in again. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.tokenStore.tokenRefreshExtensionHours configuration value.
WEBSITE_AUTH_TRACE_LEVEL Controls the verbosity of authentication traces written to Application Logging. Valid values are Off, Error, Warning, Information, and Verbose. The default value is Verbose.
WEBSITE_AUTH_VALIDATE_NONCE true or false. The default value is true. This value should never be set to false except when temporarily debugging cryptographic nonce validation failures that occur during interactive logins. This application setting is intended for use with the V1 (classic) configuration experience. If using the V2 authentication configuration schema, you should instead use the login.nonce.validateNonce configuration value.
WEBSITE_AUTH_V2_CONFIG_JSON This environment variable is populated automatically by the Azure App Service platform and is used to configure the integrated authentication module. The value of this environment variable corresponds to the V2 (non-classic) authentication configuration for the current app in Azure Resource Manager. It's not intended to be configured explicitly.
WEBSITE_AUTH_ENABLED Read-only. Injected into a Windows or Linux app to indicate whether App Service authentication is enabled.
WEBSITE_AUTH_ENCRYPTION_KEY By default, the automatically generated key is used as the encryption key. To override, set to a desired key. This is recommended if you want to share tokens or sessions across multiple apps. If specified, it supercedes the MACHINEKEY_DecryptionKey setting.
WEBSITE_AUTH_SIGNING_KEY By default, the automatically generated key is used as the signing key. To override, set to a desired key. This is recommended if you want to share tokens or sessions across multiple apps. If specified, it supercedes the MACHINEKEY_ValidationKey setting.

Managed identity

The following environment variables are related to managed identities.

Setting name Description
IDENTITY_ENDPOINT Read-only. The URL to retrieve the token for the app's managed identity.
MSI_ENDPOINT Deprecated. Use IDENTITY_ENDPOINT.
IDENTITY_HEADER Read-only. Value that must be added to the X-IDENTITY-HEADER header when making an HTTP GET request to IDENTITY_ENDPOINT. The value is rotated by the platform.
MSI_SECRET Deprecated. Use IDENTITY_HEADER.

Health check

The following environment variables are related to health checks.

Setting name Description
WEBSITE_HEALTHCHECK_MAXPINGFAILURES The maximum number of failed pings before removing the instance. Set to a value between 2 and 100. When you are scaling up or out, App Service pings the Health check path to ensure new instances are ready. For more information, see Health check.
WEBSITE_HEALTHCHECK_MAXUNHEALTHYWORKERPERCENT To avoid overwhelming healthy instances, no more than half of the instances will be excluded. For example, if an App Service Plan is scaled to four instances and three are unhealthy, at most two will be excluded. The other two instances (one healthy and one unhealthy) will continue to receive requests. In the worst-case scenario where all instances are unhealthy, none will be excluded. To override this behavior, set to a value between 0 and 100. A higher value means more unhealthy instances will be removed. The default is 50 (50%).

Push notifications

The following environment variables are related to the push notifications feature.

Setting name Description
WEBSITE_PUSH_ENABLED Read-only. Added when push notifications are enabled.
WEBSITE_PUSH_TAG_WHITELIST Read-only. Contains the tags in the notification registration.
WEBSITE_PUSH_TAGS_REQUIRING_AUTH Read-only. Contains a list of tags in the notification registration that requires user authentication.
WEBSITE_PUSH_TAGS_DYNAMIC Read-only. Contains a list of tags in the notification registration that were added automatically.

Note

This article contains references to the term whitelist, a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.

Webjobs

The following environment variables are related to WebJobs.

Setting name Description
WEBJOBS_RESTART_TIME For continuous jobs, delay in seconds when a job's process goes down for any reason before relaunching it.
WEBJOBS_IDLE_TIMEOUT For triggered jobs, timeout in seconds, after which the job is aborted if it's in idle, has no CPU time or output.
WEBJOBS_HISTORY_SIZE For triggered jobs, maximum number of runs kept in the history directory per job. The default is 50.
WEBJOBS_STOPPED Set to 1 to disable running any job, and stop all currently running jobs.
WEBJOBS_DISABLE_SCHEDULE Set to 1 to turn off all scheduled triggering. Jobs can still be manually invoked.
WEBJOBS_ROOT_PATH Absolute or relative path of webjob files. For a relative path, the value is combined with the default root path (D:/home/site/wwwroot/ or /home/site/wwwroot/).
WEBJOBS_LOG_TRIGGERED_JOBS_TO_APP_LOGS Set to true to send output from triggered WebJobs to the application logs pipeline (which supports file system, blobs, and tables).
WEBJOBS_SHUTDOWN_FILE File that App Service creates when a shutdown request is detected. It's the web job process's responsibility to detect the presence of this file and initiate shutdown. When using the WebJobs SDK, this part is handled automatically.
WEBJOBS_PATH Read-only. Root path of currently running job (will be under some temporary directory).
WEBJOBS_NAME Read-only. Current job name.
WEBJOBS_TYPE Read-only. Current job type (triggered or continuous).
WEBJOBS_DATA_PATH Read-only. Current job metadata path to contain the job's logs, history, and any artifact of the job.
WEBJOBS_RUN_ID Read-only. For triggered jobs, current run ID of the job.

Functions

Setting name Description
WEBSITE_FUNCTIONS_ARMCACHE_ENABLED Set to 0 to disable the functions cache.
WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT App settings reference for Azure Functions
FUNCTIONS_EXTENSION_VERSION App settings reference for Azure Functions
AzureWebJobsSecretStorageType App settings reference for Azure Functions
FUNCTIONS_WORKER_RUNTIME App settings reference for Azure Functions
AzureWebJobsStorage App settings reference for Azure Functions
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING App settings reference for Azure Functions
WEBSITE_CONTENTSHARE App settings reference for Azure Functions
WEBSITE_CONTENTOVERVNET App settings reference for Azure Functions
WEBSITE_ENABLE_BROTLI_ENCODING App settings reference for Azure Functions
WEBSITE_USE_PLACEHOLDER Set to 0 to disable the placeholder functions optimization on the consumption plan. The placeholder is an optimization that improves the cold start.
WEBSITE_PLACEHOLDER_MODE Read-only. Shows whether the function app is running on a placeholder host (generalized) or its own host (specialized).
WEBSITE_DISABLE_ZIP_CACHE When your app runs from a ZIP package ( WEBSITE_RUN_FROM_PACKAGE=1), the five most recently deployed ZIP packages are cached in the app's file system (D:\home\data\SitePackages). Set this variable to 1 to disable this cache. For Linux consumption apps, the ZIP package cache is disabled by default.