Share via

Azure Load Testing Returning 400/401 Errors During Authentication

Rizvi, Zoya 0 Reputation points
2025-12-02T18:04:38.5+00:00

I'm running an Azure Load Test against an App Service (protected by App Service Authentication / EasyAuth). The application normally requires a user to sign in with Microsoft Entra ID and the backend extracts the user’s email from the ID token for entitlement checks.

When I run the load test, I consistently get:

  • 400 Bad Request

401 Unauthorized

404.01 Not Found (from EasyAuth)

Here is what I already checked:

✔ App works normally when accessed by a user in a browser ✔ Dev environment accepts the same authentication flow ✔ All network rules, TLS settings, and access restrictions allow the load test traffic ✔ App Registration, Enterprise App, and Key Vault secrets are correct ✔ Client credentials flow works only for app-to-app, not user login ✔ Azure Load Test sends the request but the app rejects the authentication token

Problem: Azure Load Testing uses a client credential token (service principal), but my app requires a user ID token (with email claim). Service principals don’t have email → EasyAuth rejects them → 401/404 errors.

Questions:

Is there a supported way for Azure Load Testing to authenticate using a user identity instead of a service principal?

Can Azure Load Testing simulate a browser login or pass a user ID token manually?

Is there any configuration that allows EasyAuth to accept service principal tokens (client_credentials flow), or is code change required on the application side?

Any guidance would be appreciated.

Azure Load Testing
Azure Load Testing
An Azure service that enables developers and testers to generate insights on how to improve the performance, scalability, and capacity usage of their application

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 40,051 Reputation points MVP Volunteer Moderator
    2025-12-03T06:57:44.7866667+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    Azure Load Testing cannot produce user ID tokens and cannot bypass EasyAuth. To load test user-authenticated endpoints, you need to adjust the app or use a different tool.

    1. Azure Load Testing cannot authenticate as a user. It only supports client_credentials (service principal). There is no supported mode where ALT signs in as a real user or generates a user ID token with email.

    ALT cannot simulate an interactive browser login. No MSAL interactive, no redirect flow, no device code flow. You cannot make ALT perform a full Entra login and return an ID token.

    You cannot make EasyAuth accept client_credentials tokens without changing your app. EasyAuth will reject service principal tokens if your code expects a user (ID token with email claim). To load test this setup, you must change your auth model for the load test:

    Option A: Add a separate API scope that allows app-only access and bypasses user-claim checks.

      Option B: Add test-only bypass logic (feature flag) to skip the user email requirement.
  
     Option C: Hit a backend API endpoint that does not depend on user identity.
    1. If you need true userflow load testing, you must use a different tool. Ex., JMeter, Playwright, K6, or Selenium based tests that perform the interactive login manually.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.