Events
Mar 17, 9 p.m. - Mar 21, 10 a.m.
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This topic shows you how to configure Azure App Service or Azure Functions to use Microsoft Entra ID to support personal Microsoft account logins.
Important
While the Microsoft Account provider is still supported, it is recommended that apps instead use the Microsoft identity platform provider (Microsoft Entra ID). The Microsoft identity platform offers support for both organizational accounts and personal Microsoft accounts.
Go to App registrations in the Azure portal. If needed, sign in with your Microsoft account.
Select New registration, then enter an application name.
Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
In Redirect URIs, select Web, and then enter https://<app-domain-name>/.auth/login/aad/callback
. Replace <app-domain-name> with the domain name of your app. For example, https://contoso.azurewebsites.net/.auth/login/aad/callback
. Be sure to use the HTTPS scheme in the URL.
Select Register.
Copy the Application (Client) ID. You'll need it later.
From the left pane, select Certificates & secrets > New client secret. Enter a description, select the validity duration, and select Add.
Copy the value that appears on the Certificates & secrets page. After you leave the page, it won't be displayed again.
Important
The client secret value (password) is an important security credential. Do not share the password with anyone or distribute it within a client application.
Go to your application in the Azure portal.
Select Settings > Authentication / Authorization, and make sure that App Service Authentication is On.
Under Authentication Providers, select Microsoft Entra ID. Select Advanced under Management mode. Paste in the Application (client) ID and client secret that you obtained earlier. Use https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
for the Issuer Url field.
Select OK.
App Service provides authentication, but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code.
(Optional) To restrict access to Microsoft account users, set Action to take when request is not authenticated to Log in with Microsoft Entra ID. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated requests to use Microsoft Entra ID for authentication. Note that because you have configured your Issuer Url to use the Microsoft Account tenant, only personal accounts will successfully authenticate.
Caution
Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, Allow anonymous requests (no action) might be preferred so that the app manually starts authentication itself. For more information, see Authentication flow.
Select Save.
You are now ready to use Microsoft Account for authentication in your app.
Events
Mar 17, 9 p.m. - Mar 21, 10 a.m.
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Discover how Microsoft Entra External ID can provide secure, seamless sign-in experiences for your consumers and business customers. Explore tenant creation, app registration, flow customization, and account security.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.