Share via

Azure App Service (Next.js + NextAuth) returns 403 when calling Azure AD B2C after VNet Integration and NAT Gateway

Aditya Chiruvolu 10 Reputation points
2026-01-20T18:10:03.92+00:00

I’m facing a 403 Forbidden error when my Next.js frontend application (using NextAuth) calls Azure AD B2C, even though all authentication configurations appear to be correct.

Application Setup

  • Frontend: Next.js

Authentication: NextAuth.js

Identity Provider: Azure AD B2C

Hosting: Azure App Service

App Service Plan: Premium V2

Azure AD B2C Configuration

Client ID and Client Secret are verified and correct

Redirect URIs are correctly configured in Azure AD B2C

NextAuth provider configuration matches B2C settings

App Service Configuration

App Service is VNet integrated

A NAT Gateway is attached to the subnet to address possible SNAT/IP exhaustion

Minimum App Service instance count increased to 2

App Settings configured:

NEXTAUTH_URL

  `NEXTAUTH_SECRET`

Problem

When the Next.js application initiates authentication, the request to Azure AD B2C fails with:

HTTP Status: 403 Forbidden

The issue occurs only after VNet integration

Authentication works correctly when running locally

What I’ve Already Checked

Client ID / Secret correctness

Redirect URI matching exactly (including protocol and path)

NextAuth environment variables present in App Service

SNAT/IP exhaustion mitigations via NAT Gateway and scaling

No errors reported in App Service logs beyond the 403

Question

Can Azure AD B2C block requests originating from VNet-integrated App Services due to outbound IP changes or network routing?

Are there additional outbound firewall, service endpoint, or NSG considerations when App Service with NextAuth communicates with Azure AD B2C?

Is there any Azure AD B2C setting or known limitation related to App Service VNet integration or NAT Gateway usage?

Are there recommended diagnostic logs or headers to inspect on the B2C side to identify the root cause of the 403?

Any guidance on troubleshooting this scenario or known best practices would be greatly appreciated.

Environment Summary

Azure App Service (Premium V2)

VNet Integration + NAT Gateway

Next.js + NextAuth

Azure AD B2C

Thank you.I’m facing a 403 Forbidden error when my Next.js frontend application (using NextAuth) calls Azure AD B2C, even though all authentication configurations appear to be correct.

Application Setup

Frontend: Next.js

Authentication: NextAuth.js

Identity Provider: Azure AD B2C

Hosting: Azure App Service

App Service Plan: Premium V2

Azure AD B2C Configuration

Client ID and Client Secret are verified and correct

Redirect URIs are correctly configured in Azure AD B2C

NextAuth provider configuration matches B2C settings

App Service Configuration

App Service is VNet integrated

A NAT Gateway is attached to the subnet to address possible SNAT/IP exhaustion

Minimum App Service instance count increased to 2

App Settings configured:

NEXTAUTH_URL

  `NEXTAUTH_SECRET`

Problem

When the Next.js application initiates authentication, the request to Azure AD B2C fails with:

HTTP Status: 403 Forbidden

The issue occurs only after VNet integration

Authentication works correctly when running locally

What I’ve Already Checked

Client ID / Secret correctness

Redirect URI matching exactly (including protocol and path)

NextAuth environment variables present in App Service

SNAT/IP exhaustion mitigations via NAT Gateway and scaling

No errors reported in App Service logs beyond the 403

Question

Can Azure AD B2C block requests originating from VNet-integrated App Services due to outbound IP changes or network routing?

Are there additional outbound firewall, service endpoint, or NSG considerations when App Service with NextAuth communicates with Azure AD B2C?

Is there any Azure AD B2C setting or known limitation related to App Service VNet integration or NAT Gateway usage?

Are there recommended diagnostic logs or headers to inspect on the B2C side to identify the root cause of the 403?

Any guidance on troubleshooting this scenario or known best practices would be greatly appreciated.

Environment Summary

Azure App Service (Premium V2)

VNet Integration + NAT Gateway

Next.js + NextAuth

Azure AD B2C

Facing this issue from last 15 days. The application is working as expected from last 1 year.
Thank you.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shree Hima Bindu Maganti 7,420 Reputation points Microsoft External Staff Moderator
    2026-01-29T14:37:59.3833333+00:00

    Hi @Aditya Chiruvolu
    Azure Active Directory B2C can return an HTTP 403 after integrating Azure App Service with a VNet. This issue is not related to NextAuth, client secrets, redirect URIs, or NAT Gateway settings. Instead, it's caused by outbound network restrictions from VNet integration. When App Service uses a VNet, all outbound traffic goes through it, and if NSGs, UDRs, Azure Firewall, or forced tunneling restrict access to required Microsoft identity endpoints (like *.b2clogin.com, login.microsoftonline.com, or other Azure AD services over HTTPS/443), Azure AD B2C dependencies can fail and return a 403 Forbidden error. NAT Gateway only stabilizes outbound IPs but does not provide trusted access for B2C, and Azure AD B2C does not support IP allowlisting or private endpoints. This explains why authentication works locally or before VNet integration but fails afterward. The solution is to allow unrestricted outbound HTTPS access (or use Microsoft service tags like AzureActiveDirectory and Internet) from the VNet-integrated App Service to all necessary Microsoft identity endpoints, as there is no tenant-side setting in Azure AD B2C to resolve this.
    https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
    https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
    https://learn.microsoft.com/en-us/azure/nat-gateway/nat-overview
    Let me know if you have any further assistances needed.

    Was this answer helpful?

    0 comments
  2. Luis Arias 9,536 Reputation points Volunteer Moderator
    2026-01-26T13:31:11.2966667+00:00

    Hello Aditya,

    Welcome to Microsoft Q&A , It seems like your Azure B2C is returning 403s when an App Service is VNet‑integrated and the outbound IP or routing changes. Azure AD B2C doesn’t block VNet‑integrated apps by itself, but it can fail requests when the outbound IP changes after enabling VNet Integration with a NAT Gateway.

    First to clariffy how to works the vnet integration outbound :

    Nat gateway

    Private traffic: App Service → VNet Integration → VNet → Private destination

    Public Traffice: App Service → App Service → Azure App Service default outbound IPs → Internet → B2C

    No Nat Gateway

    Private traffic: App Service → VNet Integration → NAT Gateway → Destination

    Public Traffice: App Service → VNet Integration → NAT Gateway → Internet → B2C

    Now digging into your escenrio:

    • When the App Service is VNet‑integrated without a NAT Gateway: Example header B2C receives (App Service outbound IP = 20.30.40.50)

    X-Forwarded-For: 20.30.40.50 X-Client-IP: 20.30.40.50

    • When the App Service is VNet‑integrated with a NAT Gateway: Example header B2C receives (NAT IP = 52.60.70.80):

    X-Forwarded-For: 52.60.70.80 X-Client-IP: 52.60.70.80

    • Why this causes 403: Azure AD B2C strictly validates redirect URIs, CORS origins, and token request behavior. If the outbound IP changes or routing alters access to required public endpoints, B2C can return 403.

    Possible solution:

    Validate that the NAT Gateway IPs are the only outbound addresses, confirm all B2C-required public endpoints are reachable, and ensure redirect URIs/CORS settings match the new outbound behavior. Checking B2C audit logs and the App Service outbound IP list

    References:

    If this resolves your question, please accept the answer.

    Luis

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.