How to declare the easy auth configuration of Azure Function App in bicep?

Question

The Azure Function App is setup with easy auth (the legacy version). So I tried to write it following exported ARM templates. However, I exported the resource-group-level ARM templates, but cannot find any content related to easy auth configuration.

Is Microsoft.Web sites/config 'authsettings' the correct resource type? I try added a resource of it, but the az deployment what-if command shows all I added in the resource a addition changes, seems I am misconfiguring it and the easy auth configurations are somewhere else.

Answer 1

Hello @Shunlei Tang

Yes, you are on the right track. The Microsoft.Web/sites/config resource type is the correct one to use for configuring Easy Auth for your Azure Function App. Here is an example of how to declare the Easy Auth configuration in Bicep:

resource appServiceConfig 'Microsoft.Web/sites/config@2021-02-01' = { 
  name: '${functionAppName}/authsettings'
  properties: { 
    enabled: true
    unauthenticatedClientAction: 'RedirectToLoginPage'
    tokenStoreEnabled: true
    defaultProvider: 'AzureActiveDirectory'
    clientId: '' 
    issuer: 'https://sts.windows.net//'
    allowedAudiences: [ '' ] 
    isAadAutoProvisioned: false
    googleClientId: ''
    googleClientSecret: ''
    googleOAuthScopes: ''
    facebookAppId: ''
    facebookAppSecret: ''
    facebookOAuthScopes: ''
    twitterConsumerKey: ''
    twitterConsumerSecret: ''
    microsoftAccountClientId: ''
    microsoftAccountClientSecret: ''
    microsoftAccountOAuthScopes: ''
    customOpenIdConnectProviderId: ''
    openIdIssuer: '' 
    openIdClientId: '' 
    openIdClientSecret: '' 
    openIdWellKnownConfiguration: '' 
    tokenRefreshExtensionHours: 72 
    tokenExpirationMinutes: 1440 
    cookieExpirationMinutes: 1440 
    allowedExternalRedirectUrls: [] 
    additionalLoginParams: '' 
    isAuthFixed: false 
    httpApiPrefixPath: '' 
    useAppServiceStorage: false 
    tokenRefreshExtensionPercentage: 0 
    tokenStore: 'Web' 
    googleOAuth2Issuer: '' 
    googleOAuth2ClientId: '' 
    googleOAuth2ClientSecret: '' 
    googleOAuth2Scopes: '' 
    googleOAuth2AuthorizationEndpoint: '' 
    googleOAuth2TokenEndpoint: '' 
    googleOAuth2UserInfoEndpoint: '' 
    googleOAuth2ClaimsMapping: '' 
    googleOAuth2AllowedAudiences: [] 
    googleOAuth2IsUserIdCaseSensitive: false 
    googleOAuth2IsIdTokenNonceRequired: false 
    googleOAuth2IsAccessTokenNonceRequired: false 
    googleOAuth2IsTokenEndpointAuthenticationRequired: false 
    googleOAuth2TokenEndpointAuthenticationMethod: '' 
    googleOAuth2IsRefreshTokenSupported: false 
  }
}

This should help you get started

---

I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

Answer 2

@Shunlei Tang I can help with that followup question centred around migrating to Bicep.

Azure allows you export ARM templates for resources from the Export Template blade in the portal. However, this is not available for all resources.

I will suggest retrieving the Auth Settings using REST API and save the output to a file for later review.

az rest --method get --url "/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Web/sites/<FunctionAppName>/config/authsettingsV2/list?api-version=2021-02-01" > authsettings.json

You then manually convert the retrieved JSON settings to a Bicep template as You wouldnt be able to Decompile from JSON to Bicep because, using az bicep decompile --file authsettings.json because authsettings.json wouldn't represent a conventional ARM structure, that canbe decompiled by the az cli command.

For more information on Migrating to Bicep do review:

• Migrate to Bicep
• Decompile from JSON to Bicep