Tutorial: Add app authentication to your web app running on Azure App Service

Learn how to enable authentication for your web app running on Azure App Service and limit access to users in your organization.

In this tutorial, you learn how to:

• Configure authentication for the web app.
• Limit access to the web app to users in your organization by using Azure Active Directory (Azure AD) as the identity provider.

Automatic authentication provided by App Service

App Service provides built-in authentication and authorization support, so you can sign in users with no code in your web app. Using the optional App Service authentication/authorization module simplifies authentication and authorization for your app. When you are ready for custom authentication and authorization, you build on this architecture.

App service authentication provides:

• Easily turn on and configure through the Azure portal and app settings.
• No SDKs, specific languages, or changes to application code are required.​
• Several identity providers are supported:
  • Azure AD
  • Microsoft Account
  • Facebook
  • Google
  • Twitter

When the authentication/authorization module is enabled, every incoming HTTP request passes through it before being handled by your app code.​​ To learn more, see Authentication and authorization in Azure App Service.

Connect to backend services as app

User authentication can begin with authenticating the user to your app service as described in the previous section.

Once the app service has the authenticated identity, your system needs to connect to backend services as the app:

• Use managed identity. If managed identity isn't available, then use Key Vault.

• The user identity doesn't need to flow further. Any additional security to reach backend services is handled with the app service's identity.

1. Prerequisites

If you don't have an Azure subscription, create an Azure free account before you begin.

2. Create and publish a web app on App Service

For this tutorial, you need a web app deployed to App Service. You can use an existing web app, or you can follow one of the quickstarts to create and publish a new web app to App Service:

• ASP.NET Core
• Node.js
• Python
• Java

Whether you use an existing web app or create a new one, take note of the following:

• Web app name.
• Resource group that the web app is deployed to.

You need these names throughout this tutorial.

3. Configure authentication and authorization

Now that you have a web app running on App Service, enable authentication and authorization. You use Azure AD as the identity provider. For more information, see Configure Azure AD authentication for your App Service application.

1. In the Azure portal menu, select Resource groups, or search for and select Resource groups from any page.

2. In Resource groups, find and select your resource group. In Overview, select your app's management page.

   

3. On your app's left menu, select Authentication, and then click Add identity provider.

4. In the Add an identity provider page, select Microsoft as the Identity provider to sign in Microsoft and Azure AD identities.

5. For App registration > App registration type, select Create new app registration.

6. For App registration > Supported account types, select Current tenant-single tenant.

7. In the App Service authentication settings section, leave Authentication set to Require authentication and Unauthenticated requests set to HTTP 302 Found redirect: recommended for websites.

8. At the bottom of the Add an identity provider page, click Add to enable authentication for your web app.

   

   You now have an app that's secured by the App Service authentication and authorization.

   Note

   To allow accounts from other tenants, change the 'Issuer URL' to 'https://login.microsoftonline.com/common/v2.0' by editing your 'Identity Provider' from the 'Authentication' blade.

4. Verify limited access to the web app

When you enabled the App Service authentication/authorization module in the previous section, an app registration was created in your Azure AD tenant. The app registration has the same display name as your web app.

1. To check the settings, select Azure Active Directory from the portal menu, and select App registrations.

2. Select the app registration that was created.

3. In the overview, verify that Supported account types is set to My organization only.

   

4. To verify that access to your app is limited to users in your organization, start a browser in incognito or private mode and go to https://<app-name>.azurewebsites.net.

5. You should be directed to a secured sign-in page, verifying that unauthenticated users aren't allowed access to the site.

6. Sign in as a user in your organization to gain access to the site. You can also start up a new browser and try to sign in by using a personal account to verify that users outside the organization don't have access.

5. Clean up resources

If you completed all the steps in this multipart tutorial, you created an app service, app service hosting plan, and a storage account in a resource group. You also created an app registration in Azure Active Directory. When no longer needed, delete these resources and app registration so that you don't continue to accrue charges.

In this tutorial, you learn how to:

• Delete the Azure resources created while following the tutorial.

Delete the resource group

In the Azure portal, select Resource groups from the portal menu and select the resource group that contains your app service and app service plan.

Select Delete resource group to delete the resource group and all the resources.

This command might take several minutes to run.

Delete the app registration

From the portal menu, select Azure Active Directory > App registrations. Then select the application you created.

In the app registration overview, select Delete.

Next steps

In this tutorial, you learned how to:

• Configure authentication for the web app.
• Limit access to the web app to users in your organization.

App service accesses storage