Authenticate and authorize Static Web Apps
Due to changes in X(formerly Twitter) API policy we can’t continue to support it as part of the pre-configured providers for your app. If you want to continue to use X(formerly Twitter) for authentication/authorization with your app, update your app configuration to register a custom provider.
Azure Static Web Apps provides a streamlined authentication experience, where no other actions or configurations are required to use GitHub and Microsoft Entra ID for authentication.
In this article, learn about default behavior, how to set up sign-in and sign-out, how to block an authentication provider, and more.
You can register a custom provider, which disables all pre-configured providers.
Be aware of the following defaults and resources for authentication and authorization with Azure Static Web Apps.
- Any user can authenticate with a pre-configured provider
- Microsoft Entra ID
- To restrict an authentication provider, block access with a custom route rule
- After sign-in, users belong to the
authenticatedroles. For more information about roles, see Manage roles
- Define rules in the staticwebapp.config.json file for authorized users to gain access to restricted routes
- Assign users custom roles using the built-in invitations system
- Programmatically assign users custom roles at sign-in with an API function
- Understand that authentication and authorization significantly overlap with routing concepts, which are detailed in the Application configuration guide
- Restrict sign-in to a specific Microsoft Entra tenant by configuring a custom Microsoft Entra provider. The pre-configured Microsoft Entra provider allows any Microsoft account to sign in.
Set up sign-in
Azure Static Web Apps uses the
/.auth system folder to provide access to authorization-related APIs. Rather than expose any of the routes under the
/.auth folder directly to end users, create routing rules for friendly URLs.
Use the following table to find the provider-specific route.
|Sign in route
|Microsoft Entra ID
For example, to sign in with GitHub, you could include something similar to the following link.
If you chose to support more than one provider, expose a provider-specific link for each on your website. Use a route rule to map a default provider to a friendly route like /login.
Set up post-sign-in redirect
Return a user to a specific page after they sign in by providing a fully qualified URL in the
post_login_redirect_uri query string parameter, like in the following example.
You can also redirect unauthenticated users back to the referring page after they sign in. To configure this behavior, create a response override rule that sets
.referrer, like in the following example.
Set up sign-out
/.auth/logout route signs users out from the website. You can add a link to your site navigation to allow the user to sign out, like in the following example.
<a href="/.auth/logout">Log out</a>
Use a route rule to map a friendly route like /logout.
Set up post-sign-out redirect
To return a user to a specific page after they sign out, provide a URL in
post_logout_redirect_uri query string parameter.
Block an authentication provider
You may want to restrict your app from using an authentication provider, since all authentication providers are enabled. For instance, your app may want to standardize only on providers that expose email addresses.
To block a provider, you can create route rules to return a 404 status code for requests to the blocked provider-specific route. For example, to restrict Twitter as provider, add the following route rule.
Remove personal data
When you grant consent to an application as an end user, the application has access to your email address or username, depending on the identity provider. Once this information is provided, the owner of the application can decide how to manage personal data.
End users need to contact administrators of individual web apps to revoke this information from their systems.
To remove personal data from the Azure Static Web Apps platform, and prevent the platform from providing this information on future requests, submit a request using the following URL:
To prevent the platform from providing this information on future requests to individual apps, submit a request using the following URL:
If you're using Microsoft Entra ID, use
aad as the value for the
For information about general restrictions and limitations, see Quotas.