How can you limit which tenant authentication is allowed for with an Azure Static Web App?

Josh Donner 41 Reputation points
2023-11-06T15:51:47.9933333+00:00

We have an Azure static web application that we want to limit access to based on the Azure tenant. Anyone not in the tenant shouldn't be able to access the site. I have followed this guide:

https://anthonychu.ca/post/static-web-apps-restrict-aad-users/

No matter what I try, any valid Microsoft Entra ID login allows access, even if they are not associated with the tenant configured.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,110 questions
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,246 Reputation points MVP
    2023-11-08T22:02:25.43+00:00

    Hello @Josh Donner !

    I suppose you have selected Standard Plan for your Static Apps right ?


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. James Hamil 25,236 Reputation points Microsoft Employee
    2023-11-08T20:50:54.64+00:00

    Hi @Josh Donner , you can configure a custom Azure Active Directory (Azure AD) provider. The pre-configured Azure AD provider allows any Microsoft account to sign in, but by configuring a custom Azure AD provider, you can restrict sign-in to a specific Azure AD tenant.

    Here's an example of how to configure a custom Azure AD provider in the staticwebapp.config.json file:

    {
      "auth": {
        "identityProviders": {
          "azureActiveDirectory": {
            "registration": {
              "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
              "clientIdSettingName": "AZURE_CLIENT_ID",
              "clientSecretSettingName": "AZURE_CLIENT_SECRET"
            }
          }
        }
      }
    }
    

    Make sure to replace <TENANT_ID> with your Azure Active Directory tenant ID.

    Additionally, ensure that you have created the appropriate application settings for AZURE_CLIENT_ID and AZURE_CLIENT_SECRET.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.