Need help understanding Authentication workflow

Question

I am building a Django Web App, Linux, Python on Basic B1 pricing plan.

What I would like is to restrict access during development/staging. Something like Apache's Basic Auth for restricting access to directories. i.e. Nothing is processed until a user logs in. After login, user can view app as it would run normally.

I would like testers to be able to use the app as an unregistered or registered user, depending on what we're testing. But I don't want the entire internet to be able to login with a valid identity.

If I use GitHub as an Identity provider, and the provided address: my_app/.auth/login/github anyone with GitHub account can login. I can't find a way to restrict login to specific accounts.

If I use Microsoft as an identity provider, I can't find anyway to login. The addresses my_app/.auth/login/azure, and my_app/.auth/login/microsoft don't exist. But, this seems like it would just let anyone with a valid Microsoft account login, similar to using GitHub.

While both of the above methods seem close, I get a 403 Access Denied, I can't find anyway to say allow user: testuser with pass: testpass access.

Access Control seems to deal with Azure permissions, not the app's permissions.

The app testers do not have Azure accounts. ( Sort of mute, because currently can't login with Microsoft anyway. )

Is it possible with a basic App Services Web App, to restrict access unless logged in to known account?

Answer 1

I figured it out.

Using Microsoft as the provider is also Azure AD and the login URL is <my_app>/.auth/login/aad .
(Reading the right documentation helps.)

Everything is working as expected. Only devs and a guest account can access the app.

Everyone else see a 'Sorry, user does not exist.' message.

Preem.