az webapp auth

Manage webapp authentication and authorization.

Commands

az webapp auth show Show the authentification settings for the webapp.
az webapp auth update Update the authentication settings for the webapp.

az webapp auth show

Show the authentification settings for the webapp.

az webapp auth show [--ids]
[--name]
[--resource-group]
[--slot]
[--subscription]

Examples

Show the authentification settings for the webapp. (autogenerated)

az webapp auth show --name MyWebApp --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--name -n

Name of the web app. You can configure the default using 'az configure --defaults web='.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az webapp auth update

Update the authentication settings for the webapp.

az webapp auth update [--aad-allowed-token-audiences]
[--aad-client-id]
[--aad-client-secret]
[--aad-token-issuer-url]
[--action {AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter}]
[--allowed-external-redirect-urls]
[--enabled {false, true}]
[--facebook-app-id]
[--facebook-app-secret]
[--facebook-oauth-scopes]
[--google-client-id]
[--google-client-secret]
[--google-oauth-scopes]
[--ids]
[--microsoft-account-client-id]
[--microsoft-account-client-secret]
[--microsoft-account-oauth-scopes]
[--name]
[--resource-group]
[--slot]
[--subscription]
[--token-refresh-extension-hours]
[--token-store {false, true}]
[--twitter-consumer-key]
[--twitter-consumer-secret]

Examples

Enable AAD by enabling authentication and setting AAD-associated parameters. Default provider is set to AAD. Must have created a AAD service principal beforehand.

az webapp auth update  -g myResourceGroup -n myUniqueApp --enabled true \
  --action LoginWithAzureActiveDirectory \
  --aad-allowed-token-audiences https://webapp_name.azurewebsites.net/.auth/login/aad/callback \
  --aad-client-id ecbacb08-df8b-450d-82b3-3fced03f2b27 --aad-client-secret very_secret_password \
  --aad-token-issuer-url https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/

Allow Facebook authentication by setting FB-associated parameters and turning on public-profile and email scopes; allow anonymous users

az webapp auth update -g myResourceGroup -n myUniqueApp --action AllowAnonymous \
  --facebook-app-id my_fb_id --facebook-app-secret my_fb_secret \
  --facebook-oauth-scopes public_profile email

Optional Parameters

--aad-allowed-token-audiences

One or more token audiences (space-delimited).

--aad-client-id

Application ID to integrate AAD organization account Sign-in into your web app.

--aad-client-secret

AAD application secret.

--aad-token-issuer-url

This url can be found in the JSON output returned from your active directory endpoint using your tenantID. The endpoint can be queried from 'az cloud show' at "endpoints.activeDirectory". The tenantID can be found using 'az account show'. Get the "issuer" from the JSON at //.well-known/openid-configuration.

--action
accepted values: AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter
--allowed-external-redirect-urls

One or more urls (space-delimited).

--enabled
accepted values: false, true
--facebook-app-id

Application ID to integrate Facebook Sign-in into your web app.

--facebook-app-secret

Facebook Application client secret.

--facebook-oauth-scopes

One or more facebook authentication scopes (space-delimited).

--google-client-id

Application ID to integrate Google Sign-in into your web app.

--google-client-secret

Google Application client secret.

--google-oauth-scopes

One or more Google authentication scopes (space-delimited).

--ids

One or more resource IDs (space-delimited). If provided, no other 'Resource Id' arguments should be specified.

--microsoft-account-client-id

AAD V2 Application ID to integrate Microsoft account Sign-in into your web app.

--microsoft-account-client-secret

AAD V2 Application client secret.

--microsoft-account-oauth-scopes

One or more Microsoft authentification scopes (space-delimited).

--name -n

Name of the web app. You can configure the default using 'az configure --defaults web='.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--token-refresh-extension-hours

Hours, must be formattable into a float.

--token-store

Use App Service Token Store.

accepted values: false, true
--twitter-consumer-key

Application ID to integrate Twitter Sign-in into your web app.

--twitter-consumer-secret

Twitter Application client secret.