This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 12%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
We have an Azure static web application that we want to limit access to based on the Azure tenant. Anyone not in the tenant shouldn't be able to access the site. I have followed this guide:
https://anthonychu.ca/post/static-web-apps-restrict-aad-users/
No matter what I try, any valid Microsoft Entra ID login allows access, even if they are not associated with the tenant configured.
Hello @Josh Donner !
I suppose you have selected Standard Plan for your Static Apps right ?
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Oh, I see that now, under Hosting Plan we have it set to Free right now. I do see the checkbox for the Custom Authentication under the standard plan now.
Hi @Josh Donner , you can configure a custom Azure Active Directory (Azure AD) provider. The pre-configured Azure AD provider allows any Microsoft account to sign in, but by configuring a custom Azure AD provider, you can restrict sign-in to a specific Azure AD tenant.
Here's an example of how to configure a custom Azure AD provider in the staticwebapp.config.json file:
{
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
}
}
}
}
}
Make sure to replace <TENANT_ID> with your Azure Active Directory tenant ID.
Additionally, ensure that you have created the appropriate application settings for AZURE_CLIENT_ID and AZURE_CLIENT_SECRET.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James
You've posted the exact thing that I said I did in my link I posted (I believe the author of my link is the dev that actually implemented this feature in Azure). This does not help unfortunately, I've done all of these steps and it is still allowing any Microsoft AAD login to authorize regardless of tenant.
It seems like any AAD login gets the authenticated role, no matter what tenant is configured.