Web Apps - Update Auth Settings V2

Service:

App Service

API Version:

2023-01-01

Description for Updates site's Authentication / Authorization settings for apps via the V2 format

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/authsettingsV2?api-version=2023-01-01

URI Parameters

Name	In	Required	Type	Description
name	path	True	string	Name of web app.
resourceGroupName	path	True	string	Name of the resource group to which the resource belongs. Regex pattern: ^[-\w\._\(\)]+[^\.]$
subscriptionId	path	True	string	Your Azure subscription ID. This is a GUID-formatted string (e.g. 00000000-0000-0000-0000-000000000000).
api-version	query	True	string	API Version

Request Body

Name	Type	Description
kind	string	Kind of resource.
properties.globalValidation	GlobalValidation	The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.
properties.httpSettings	HttpSettings	The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.
properties.identityProviders	IdentityProviders	The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.
properties.login	Login	The configuration settings of the login flow of users using App Service Authentication/Authorization.
properties.platform	AuthPlatform	The configuration settings of the platform of App Service Authentication/Authorization.

Responses

Name	Type	Description
200 OK	SiteAuthSettingsV2	OK
Other Status Codes	DefaultErrorResponse	App Service error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Update Auth Settings V2

Sample Request

HTTP

PUT https://management.azure.com/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab345/resourceGroups/testrg123/providers/Microsoft.Web/sites/sitef6141/config/authsettingsV2?api-version=2023-01-01

{
  "properties": {
    "platform": {
      "enabled": true,
      "runtimeVersion": "~1",
      "configFilePath": "/auth/config.json"
    },
    "globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "Return403",
      "excludedPaths": [
        "/nosecrets/Path"
      ]
    },
    "identityProviders": {
      "google": {
        "enabled": true,
        "registration": {
          "clientId": "42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com",
          "clientSecretSettingName": "ClientSecret"
        },
        "login": {
          "scopes": [
            "admin"
          ]
        },
        "validation": {
          "allowedAudiences": [
            "https://example.com"
          ]
        }
      }
    },
    "login": {
      "routes": {
        "logoutEndpoint": "https://app.com/logout"
      },
      "tokenStore": {
        "enabled": true,
        "tokenRefreshExtensionHours": 96,
        "fileSystem": {
          "directory": "/wwwroot/sites/example"
        }
      },
      "preserveUrlFragmentsForLogins": true,
      "allowedExternalRedirectUrls": [
        "https://someurl.com"
      ],
      "cookieExpiration": {
        "convention": "IdentityProviderDerived",
        "timeToExpiration": "2022:09-01T00:00Z"
      },
      "nonce": {
        "validateNonce": true
      }
    },
    "httpSettings": {
      "requireHttps": true,
      "routes": {
        "apiPrefix": "/authv2/"
      },
      "forwardProxy": {
        "convention": "Standard",
        "customHostHeaderName": "authHeader",
        "customProtoHeaderName": "customProtoHeader"
      }
    }
  }
}

Java

import com.azure.resourcemanager.appservice.fluent.models.SiteAuthSettingsV2Inner;
import com.azure.resourcemanager.appservice.models.AllowedAudiencesValidation;
import com.azure.resourcemanager.appservice.models.AuthPlatform;
import com.azure.resourcemanager.appservice.models.ClientRegistration;
import com.azure.resourcemanager.appservice.models.CookieExpiration;
import com.azure.resourcemanager.appservice.models.CookieExpirationConvention;
import com.azure.resourcemanager.appservice.models.FileSystemTokenStore;
import com.azure.resourcemanager.appservice.models.ForwardProxy;
import com.azure.resourcemanager.appservice.models.ForwardProxyConvention;
import com.azure.resourcemanager.appservice.models.GlobalValidation;
import com.azure.resourcemanager.appservice.models.Google;
import com.azure.resourcemanager.appservice.models.HttpSettings;
import com.azure.resourcemanager.appservice.models.HttpSettingsRoutes;
import com.azure.resourcemanager.appservice.models.IdentityProviders;
import com.azure.resourcemanager.appservice.models.Login;
import com.azure.resourcemanager.appservice.models.LoginRoutes;
import com.azure.resourcemanager.appservice.models.LoginScopes;
import com.azure.resourcemanager.appservice.models.Nonce;
import com.azure.resourcemanager.appservice.models.TokenStore;
import com.azure.resourcemanager.appservice.models.UnauthenticatedClientActionV2;
import java.util.Arrays;

/**
 * Samples for WebApps UpdateAuthSettingsV2.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/web/resource-manager/Microsoft.Web/stable/2023-01-01/examples/UpdateAuthSettingsV2.json
     */
    /**
     * Sample code: Update Auth Settings V2.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void updateAuthSettingsV2(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.webApps().manager().serviceClient().getWebApps().updateAuthSettingsV2WithResponse("testrg123",
            "sitef6141",
            new SiteAuthSettingsV2Inner()
                .withPlatform(new AuthPlatform().withEnabled(true).withRuntimeVersion("~1")
                    .withConfigFilePath("/auth/config.json"))
                .withGlobalValidation(new GlobalValidation().withRequireAuthentication(true)
                    .withUnauthenticatedClientAction(UnauthenticatedClientActionV2.RETURN403)
                    .withExcludedPaths(Arrays.asList("/nosecrets/Path")))
                .withIdentityProviders(new IdentityProviders().withGoogle(new Google().withEnabled(true)
                    .withRegistration(new ClientRegistration()
                        .withClientId("42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com")
                        .withClientSecretSettingName("fakeTokenPlaceholder"))
                    .withLogin(new LoginScopes().withScopes(Arrays.asList("admin"))).withValidation(
                        new AllowedAudiencesValidation().withAllowedAudiences(Arrays.asList("https://example.com")))))
                .withLogin(new Login().withRoutes(new LoginRoutes().withLogoutEndpoint("https://app.com/logout"))
                    .withTokenStore(new TokenStore().withEnabled(true).withTokenRefreshExtensionHours(96.0D)
                        .withFileSystem(new FileSystemTokenStore().withDirectory("/wwwroot/sites/example")))
                    .withPreserveUrlFragmentsForLogins(true)
                    .withAllowedExternalRedirectUrls(Arrays.asList("https://someurl.com"))
                    .withCookieExpiration(
                        new CookieExpiration().withConvention(CookieExpirationConvention.IDENTITY_PROVIDER_DERIVED)
                            .withTimeToExpiration("2022:09-01T00:00Z"))
                    .withNonce(new Nonce().withValidateNonce(true)))
                .withHttpSettings(new HttpSettings().withRequireHttps(true)
                    .withRoutes(new HttpSettingsRoutes().withApiPrefix("/authv2/"))
                    .withForwardProxy(new ForwardProxy().withConvention(ForwardProxyConvention.STANDARD)
                        .withCustomHostHeaderName("authHeader").withCustomProtoHeaderName("customProtoHeader"))),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Python

from azure.identity import DefaultAzureCredential
from azure.mgmt.web import WebSiteManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-web
# USAGE
    python update_auth_settings_v2.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = WebSiteManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="34adfa4f-cedf-4dc0-ba29-b6d1a69ab345",
    )

    response = client.web_apps.update_auth_settings_v2(
        resource_group_name="testrg123",
        name="sitef6141",
        site_auth_settings_v2={
            "properties": {
                "globalValidation": {
                    "excludedPaths": ["/nosecrets/Path"],
                    "requireAuthentication": True,
                    "unauthenticatedClientAction": "Return403",
                },
                "httpSettings": {
                    "forwardProxy": {
                        "convention": "Standard",
                        "customHostHeaderName": "authHeader",
                        "customProtoHeaderName": "customProtoHeader",
                    },
                    "requireHttps": True,
                    "routes": {"apiPrefix": "/authv2/"},
                },
                "identityProviders": {
                    "google": {
                        "enabled": True,
                        "login": {"scopes": ["admin"]},
                        "registration": {
                            "clientId": "42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com",
                            "clientSecretSettingName": "ClientSecret",
                        },
                        "validation": {"allowedAudiences": ["https://example.com"]},
                    }
                },
                "login": {
                    "allowedExternalRedirectUrls": ["https://someurl.com"],
                    "cookieExpiration": {
                        "convention": "IdentityProviderDerived",
                        "timeToExpiration": "2022:09-01T00:00Z",
                    },
                    "nonce": {"validateNonce": True},
                    "preserveUrlFragmentsForLogins": True,
                    "routes": {"logoutEndpoint": "https://app.com/logout"},
                    "tokenStore": {
                        "enabled": True,
                        "fileSystem": {"directory": "/wwwroot/sites/example"},
                        "tokenRefreshExtensionHours": 96,
                    },
                },
                "platform": {"configFilePath": "/auth/config.json", "enabled": True, "runtimeVersion": "~1"},
            }
        },
    )
    print(response)


# x-ms-original-file: specification/web/resource-manager/Microsoft.Web/stable/2023-01-01/examples/UpdateAuthSettingsV2.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armappservice_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appservice/armappservice/v2"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/738ab25fe76324897f273645906d4a0415068a6c/specification/web/resource-manager/Microsoft.Web/stable/2023-01-01/examples/UpdateAuthSettingsV2.json
func ExampleWebAppsClient_UpdateAuthSettingsV2() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armappservice.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewWebAppsClient().UpdateAuthSettingsV2(ctx, "testrg123", "sitef6141", armappservice.SiteAuthSettingsV2{
		Properties: &armappservice.SiteAuthSettingsV2Properties{
			GlobalValidation: &armappservice.GlobalValidation{
				ExcludedPaths: []*string{
					to.Ptr("/nosecrets/Path")},
				RequireAuthentication:       to.Ptr(true),
				UnauthenticatedClientAction: to.Ptr(armappservice.UnauthenticatedClientActionV2Return403),
			},
			HTTPSettings: &armappservice.HTTPSettings{
				ForwardProxy: &armappservice.ForwardProxy{
					Convention:            to.Ptr(armappservice.ForwardProxyConventionStandard),
					CustomHostHeaderName:  to.Ptr("authHeader"),
					CustomProtoHeaderName: to.Ptr("customProtoHeader"),
				},
				RequireHTTPS: to.Ptr(true),
				Routes: &armappservice.HTTPSettingsRoutes{
					APIPrefix: to.Ptr("/authv2/"),
				},
			},
			IdentityProviders: &armappservice.IdentityProviders{
				Google: &armappservice.Google{
					Enabled: to.Ptr(true),
					Login: &armappservice.LoginScopes{
						Scopes: []*string{
							to.Ptr("admin")},
					},
					Registration: &armappservice.ClientRegistration{
						ClientID:                to.Ptr("42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com"),
						ClientSecretSettingName: to.Ptr("ClientSecret"),
					},
					Validation: &armappservice.AllowedAudiencesValidation{
						AllowedAudiences: []*string{
							to.Ptr("https://example.com")},
					},
				},
			},
			Login: &armappservice.Login{
				AllowedExternalRedirectUrls: []*string{
					to.Ptr("https://someurl.com")},
				CookieExpiration: &armappservice.CookieExpiration{
					Convention:       to.Ptr(armappservice.CookieExpirationConventionIdentityProviderDerived),
					TimeToExpiration: to.Ptr("2022:09-01T00:00Z"),
				},
				Nonce: &armappservice.Nonce{
					ValidateNonce: to.Ptr(true),
				},
				PreserveURLFragmentsForLogins: to.Ptr(true),
				Routes: &armappservice.LoginRoutes{
					LogoutEndpoint: to.Ptr("https://app.com/logout"),
				},
				TokenStore: &armappservice.TokenStore{
					Enabled: to.Ptr(true),
					FileSystem: &armappservice.FileSystemTokenStore{
						Directory: to.Ptr("/wwwroot/sites/example"),
					},
					TokenRefreshExtensionHours: to.Ptr[float64](96),
				},
			},
			Platform: &armappservice.AuthPlatform{
				ConfigFilePath: to.Ptr("/auth/config.json"),
				Enabled:        to.Ptr(true),
				RuntimeVersion: to.Ptr("~1"),
			},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.SiteAuthSettingsV2 = armappservice.SiteAuthSettingsV2{
	// 	Name: to.Ptr("authsettingsv2"),
	// 	Type: to.Ptr("Microsoft.Web/sites/authsettingsv2"),
	// 	ID: to.Ptr("/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab345/resourceGroups/testrg123/providers/Microsoft.Web/sites/sitef6141/config/authsettingsv2"),
	// 	Kind: to.Ptr("app"),
	// 	Properties: &armappservice.SiteAuthSettingsV2Properties{
	// 		GlobalValidation: &armappservice.GlobalValidation{
	// 			ExcludedPaths: []*string{
	// 				to.Ptr("/nosecrets/Path")},
	// 				RequireAuthentication: to.Ptr(true),
	// 				UnauthenticatedClientAction: to.Ptr(armappservice.UnauthenticatedClientActionV2Return403),
	// 			},
	// 			HTTPSettings: &armappservice.HTTPSettings{
	// 				ForwardProxy: &armappservice.ForwardProxy{
	// 					Convention: to.Ptr(armappservice.ForwardProxyConventionStandard),
	// 					CustomHostHeaderName: to.Ptr("authHeader"),
	// 					CustomProtoHeaderName: to.Ptr("customProtoHeader"),
	// 				},
	// 				RequireHTTPS: to.Ptr(true),
	// 				Routes: &armappservice.HTTPSettingsRoutes{
	// 					APIPrefix: to.Ptr("/authv2/"),
	// 				},
	// 			},
	// 			IdentityProviders: &armappservice.IdentityProviders{
	// 				Google: &armappservice.Google{
	// 					Enabled: to.Ptr(true),
	// 					Login: &armappservice.LoginScopes{
	// 						Scopes: []*string{
	// 							to.Ptr("admin")},
	// 						},
	// 						Registration: &armappservice.ClientRegistration{
	// 							ClientID: to.Ptr("42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com"),
	// 							ClientSecretSettingName: to.Ptr("ClientSecret"),
	// 						},
	// 						Validation: &armappservice.AllowedAudiencesValidation{
	// 							AllowedAudiences: []*string{
	// 								to.Ptr("https://example.com")},
	// 							},
	// 						},
	// 					},
	// 					Login: &armappservice.Login{
	// 						AllowedExternalRedirectUrls: []*string{
	// 							to.Ptr("https://someurl.com")},
	// 							CookieExpiration: &armappservice.CookieExpiration{
	// 								Convention: to.Ptr(armappservice.CookieExpirationConventionIdentityProviderDerived),
	// 								TimeToExpiration: to.Ptr("2022:09-01T00:00Z"),
	// 							},
	// 							Nonce: &armappservice.Nonce{
	// 								ValidateNonce: to.Ptr(true),
	// 							},
	// 							PreserveURLFragmentsForLogins: to.Ptr(true),
	// 							Routes: &armappservice.LoginRoutes{
	// 								LogoutEndpoint: to.Ptr("https://app.com/logout"),
	// 							},
	// 							TokenStore: &armappservice.TokenStore{
	// 								Enabled: to.Ptr(true),
	// 								FileSystem: &armappservice.FileSystemTokenStore{
	// 									Directory: to.Ptr("/wwwroot/sites/example"),
	// 								},
	// 								TokenRefreshExtensionHours: to.Ptr[float64](96),
	// 							},
	// 						},
	// 						Platform: &armappservice.AuthPlatform{
	// 							ConfigFilePath: to.Ptr("/auth/config.json"),
	// 							Enabled: to.Ptr(true),
	// 							RuntimeVersion: to.Ptr("~1"),
	// 						},
	// 					},
	// 				}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { WebSiteManagementClient } = require("@azure/arm-appservice");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Description for Updates site's Authentication / Authorization settings for apps via the V2 format
 *
 * @summary Description for Updates site's Authentication / Authorization settings for apps via the V2 format
 * x-ms-original-file: specification/web/resource-manager/Microsoft.Web/stable/2023-01-01/examples/UpdateAuthSettingsV2.json
 */
async function updateAuthSettingsV2() {
  const subscriptionId =
    process.env["APPSERVICE_SUBSCRIPTION_ID"] || "34adfa4f-cedf-4dc0-ba29-b6d1a69ab345";
  const resourceGroupName = process.env["APPSERVICE_RESOURCE_GROUP"] || "testrg123";
  const name = "sitef6141";
  const siteAuthSettingsV2 = {
    globalValidation: {
      excludedPaths: ["/nosecrets/Path"],
      requireAuthentication: true,
      unauthenticatedClientAction: "Return403",
    },
    httpSettings: {
      forwardProxy: {
        convention: "Standard",
        customHostHeaderName: "authHeader",
        customProtoHeaderName: "customProtoHeader",
      },
      requireHttps: true,
      routes: { apiPrefix: "/authv2/" },
    },
    identityProviders: {
      google: {
        enabled: true,
        login: { scopes: ["admin"] },
        registration: {
          clientId: "42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com",
          clientSecretSettingName: "ClientSecret",
        },
        validation: { allowedAudiences: ["https://example.com"] },
      },
    },
    login: {
      allowedExternalRedirectUrls: ["https://someurl.com"],
      cookieExpiration: {
        convention: "IdentityProviderDerived",
        timeToExpiration: "2022:09-01T00:00Z",
      },
      nonce: { validateNonce: true },
      preserveUrlFragmentsForLogins: true,
      routes: { logoutEndpoint: "https://app.com/logout" },
      tokenStore: {
        enabled: true,
        fileSystem: { directory: "/wwwroot/sites/example" },
        tokenRefreshExtensionHours: 96,
      },
    },
    platform: {
      configFilePath: "/auth/config.json",
      enabled: true,
      runtimeVersion: "~1",
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new WebSiteManagementClient(credential, subscriptionId);
  const result = await client.webApps.updateAuthSettingsV2(
    resourceGroupName,
    name,
    siteAuthSettingsV2
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

{
  "id": "/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab345/resourceGroups/testrg123/providers/Microsoft.Web/sites/sitef6141/config/authsettingsv2",
  "name": "authsettingsv2",
  "type": "Microsoft.Web/sites/authsettingsv2",
  "kind": "app",
  "properties": {
    "platform": {
      "enabled": true,
      "runtimeVersion": "~1",
      "configFilePath": "/auth/config.json"
    },
    "globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "Return403",
      "excludedPaths": [
        "/nosecrets/Path"
      ]
    },
    "identityProviders": {
      "google": {
        "enabled": true,
        "registration": {
          "clientId": "42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com",
          "clientSecretSettingName": "ClientSecret"
        },
        "login": {
          "scopes": [
            "admin"
          ]
        },
        "validation": {
          "allowedAudiences": [
            "https://example.com"
          ]
        }
      }
    },
    "login": {
      "routes": {
        "logoutEndpoint": "https://app.com/logout"
      },
      "tokenStore": {
        "enabled": true,
        "tokenRefreshExtensionHours": 96,
        "fileSystem": {
          "directory": "/wwwroot/sites/example"
        }
      },
      "preserveUrlFragmentsForLogins": true,
      "allowedExternalRedirectUrls": [
        "https://someurl.com"
      ],
      "cookieExpiration": {
        "convention": "IdentityProviderDerived",
        "timeToExpiration": "2022:09-01T00:00Z"
      },
      "nonce": {
        "validateNonce": true
      }
    },
    "httpSettings": {
      "requireHttps": true,
      "routes": {
        "apiPrefix": "/authv2/"
      },
      "forwardProxy": {
        "convention": "Standard",
        "customHostHeaderName": "authHeader",
        "customProtoHeaderName": "customProtoHeader"
      }
    }
  }
}

Definitions

Name	Description
AllowedAudiencesValidation	The configuration settings of the Allowed Audiences validation flow.
AllowedPrincipals	The configuration settings of the Azure Active Directory allowed principals.
Apple	The configuration settings of the Apple provider.
AppleRegistration	The configuration settings of the registration for the Apple provider
AppRegistration	The configuration settings of the app registration for providers that have app ids and app secrets
AuthPlatform	The configuration settings of the platform of App Service Authentication/Authorization.
AzureActiveDirectory	The configuration settings of the Azure Active directory provider.
AzureActiveDirectoryLogin	The configuration settings of the Azure Active Directory login flow.
AzureActiveDirectoryRegistration	The configuration settings of the Azure Active Directory app registration.
AzureActiveDirectoryValidation	The configuration settings of the Azure Active Directory token validation flow.
AzureStaticWebApps	The configuration settings of the Azure Static Web Apps provider.
AzureStaticWebAppsRegistration	The configuration settings of the registration for the Azure Static Web Apps provider
BlobStorageTokenStore	The configuration settings of the storage of the tokens if blob storage is used.
ClientCredentialMethod	The method that should be used to authenticate the user.
ClientRegistration	The configuration settings of the app registration for providers that have client ids and client secrets
CookieExpiration	The configuration settings of the session cookie's expiration.
CookieExpirationConvention	The convention used when determining the session cookie's expiration.
CustomOpenIdConnectProvider	The configuration settings of the custom Open ID Connect provider.
DefaultAuthorizationPolicy	The configuration settings of the Azure Active Directory default authorization policy.
DefaultErrorResponse	App Service error response.
Details
Error	Error model.
Facebook	The configuration settings of the Facebook provider.
FileSystemTokenStore	The configuration settings of the storage of the tokens if a file system is used.
ForwardProxy	The configuration settings of a forward proxy used to make the requests.
ForwardProxyConvention	The convention used to determine the url of the request made.
GitHub	The configuration settings of the GitHub provider.
GlobalValidation	The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.
Google	The configuration settings of the Google provider.
HttpSettings	The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.
HttpSettingsRoutes	The configuration settings of the paths HTTP requests.
IdentityProviders	The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.
JwtClaimChecks	The configuration settings of the checks that should be made while validating the JWT Claims.
LegacyMicrosoftAccount	The configuration settings of the legacy Microsoft Account provider.
Login	The configuration settings of the login flow of users using App Service Authentication/Authorization.
LoginRoutes	The routes that specify the endpoints used for login and logout requests.
LoginScopes	The configuration settings of the login flow, including the scopes that should be requested.
Nonce	The configuration settings of the nonce used in the login flow.
OpenIdConnectClientCredential	The authentication client credentials of the custom Open ID Connect provider.
OpenIdConnectConfig	The configuration settings of the endpoints used for the custom Open ID Connect provider.
OpenIdConnectLogin	The configuration settings of the login flow of the custom Open ID Connect provider.
OpenIdConnectRegistration	The configuration settings of the app registration for the custom Open ID Connect provider.
SiteAuthSettingsV2	Configuration settings for the Azure App Service Authentication / Authorization V2 feature.
TokenStore	The configuration settings of the token store.
Twitter	The configuration settings of the Twitter provider.
TwitterRegistration	The configuration settings of the app registration for the Twitter provider.
UnauthenticatedClientActionV2	The action to take when an unauthenticated client attempts to access the app.

AllowedAudiencesValidation

The configuration settings of the Allowed Audiences validation flow.

Name	Type	Description
allowedAudiences	string[]	The configuration settings of the allowed list of audiences from which to validate the JWT token.

AllowedPrincipals

The configuration settings of the Azure Active Directory allowed principals.

Name	Type	Description
groups	string[]	The list of the allowed groups.
identities	string[]	The list of the allowed identities.

Apple

The configuration settings of the Apple provider.

Name	Type	Description
enabled	boolean	false if the Apple provider should not be enabled despite the set registration; otherwise, true.
login	LoginScopes	The configuration settings of the login flow.
registration	AppleRegistration	The configuration settings of the Apple registration.

AppleRegistration

The configuration settings of the registration for the Apple provider

Name	Type	Description
clientId	string	The Client ID of the app used for login.
clientSecretSettingName	string	The app setting name that contains the client secret.

AppRegistration

The configuration settings of the app registration for providers that have app ids and app secrets

Name	Type	Description
appId	string	The App ID of the app used for login.
appSecretSettingName	string	The app setting name that contains the app secret.

AuthPlatform

The configuration settings of the platform of App Service Authentication/Authorization.

Name	Type	Description
configFilePath	string	The path of the config file containing auth settings if they come from a file. If the path is relative, base will the site's root directory.
enabled	boolean	true if the Authentication / Authorization feature is enabled for the current app; otherwise, false.
runtimeVersion	string	The RuntimeVersion of the Authentication / Authorization feature in use for the current app. The setting in this value can control the behavior of certain features in the Authentication / Authorization module.

AzureActiveDirectory

The configuration settings of the Azure Active directory provider.

Name	Type	Description
enabled	boolean	false if the Azure Active Directory provider should not be enabled despite the set registration; otherwise, true.
isAutoProvisioned	boolean	Gets a value indicating whether the Azure AD configuration was auto-provisioned using 1st party tooling. This is an internal flag primarily intended to support the Azure Management Portal. Users should not read or write to this property.
login	AzureActiveDirectoryLogin	The configuration settings of the Azure Active Directory login flow.
registration	AzureActiveDirectoryRegistration	The configuration settings of the Azure Active Directory app registration.
validation	AzureActiveDirectoryValidation	The configuration settings of the Azure Active Directory token validation flow.

AzureActiveDirectoryLogin

The configuration settings of the Azure Active Directory login flow.

Name	Type	Description
disableWWWAuthenticate	boolean	true if the www-authenticate provider should be omitted from the request; otherwise, false.
loginParameters	string[]	Login parameters to send to the OpenID Connect authorization endpoint when a user logs in. Each parameter must be in the form "key=value".

AzureActiveDirectoryRegistration

The configuration settings of the Azure Active Directory app registration.

Name	Type	Description
clientId	string	The Client ID of this relying party application, known as the client_id. This setting is required for enabling OpenID Connection authentication with Azure Active Directory or other 3rd party OpenID Connect providers. More information on OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html
clientSecretCertificateIssuer	string	An alternative to the client secret thumbprint, that is the issuer of a certificate used for signing purposes. This property acts as a replacement for the Client Secret Certificate Thumbprint. It is also optional.
clientSecretCertificateSubjectAlternativeName	string	An alternative to the client secret thumbprint, that is the subject alternative name of a certificate used for signing purposes. This property acts as a replacement for the Client Secret Certificate Thumbprint. It is also optional.
clientSecretCertificateThumbprint	string	An alternative to the client secret, that is the thumbprint of a certificate used for signing purposes. This property acts as a replacement for the Client Secret. It is also optional.
clientSecretSettingName	string	The app setting name that contains the client secret of the relying party application.
openIdIssuer	string	The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application. When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://login.microsoftonline.com/v2.0/{tenant-guid}/. This URI is a case-sensitive identifier for the token issuer. More information on OpenID Connect Discovery: http://openid.net/specs/openid-connect-discovery-1_0.html

AzureActiveDirectoryValidation

The configuration settings of the Azure Active Directory token validation flow.

Name	Type	Description
allowedAudiences	string[]	The list of audiences that can make successful authentication/authorization requests.
defaultAuthorizationPolicy	DefaultAuthorizationPolicy	The configuration settings of the default authorization policy.
jwtClaimChecks	JwtClaimChecks	The configuration settings of the checks that should be made while validating the JWT Claims.

AzureStaticWebApps

The configuration settings of the Azure Static Web Apps provider.

Name	Type	Description
enabled	boolean	false if the Azure Static Web Apps provider should not be enabled despite the set registration; otherwise, true.
registration	AzureStaticWebAppsRegistration	The configuration settings of the Azure Static Web Apps registration.

AzureStaticWebAppsRegistration

The configuration settings of the registration for the Azure Static Web Apps provider

Name	Type	Description
clientId	string	The Client ID of the app used for login.

BlobStorageTokenStore

The configuration settings of the storage of the tokens if blob storage is used.

Name	Type	Description
sasUrlSettingName	string	The name of the app setting containing the SAS URL of the blob storage containing the tokens.

ClientCredentialMethod

The method that should be used to authenticate the user.

Name	Type	Description
ClientSecretPost	string

ClientRegistration

The configuration settings of the app registration for providers that have client ids and client secrets

Name	Type	Description
clientId	string	The Client ID of the app used for login.
clientSecretSettingName	string	The app setting name that contains the client secret.

CookieExpiration

The configuration settings of the session cookie's expiration.

Name	Type	Description
convention	CookieExpirationConvention	The convention used when determining the session cookie's expiration.
timeToExpiration	string	The time after the request is made when the session cookie should expire.

CookieExpirationConvention

The convention used when determining the session cookie's expiration.

Name	Type	Description
FixedTime	string
IdentityProviderDerived	string

CustomOpenIdConnectProvider

The configuration settings of the custom Open ID Connect provider.

Name	Type	Description
enabled	boolean	false if the custom Open ID provider provider should not be enabled; otherwise, true.
login	OpenIdConnectLogin	The configuration settings of the login flow of the custom Open ID Connect provider.
registration	OpenIdConnectRegistration	The configuration settings of the app registration for the custom Open ID Connect provider.

DefaultAuthorizationPolicy

The configuration settings of the Azure Active Directory default authorization policy.

Name	Type	Description
allowedApplications	string[]	The configuration settings of the Azure Active Directory allowed applications.
allowedPrincipals	AllowedPrincipals	The configuration settings of the Azure Active Directory allowed principals.

DefaultErrorResponse

App Service error response.

Name	Type	Description
error	Error	Error model.

Details

Name	Type	Description
code	string	Standardized string to programmatically identify the error.
message	string	Detailed error description and debugging information.
target	string	Detailed error description and debugging information.

Error

Error model.

Name	Type	Description
code	string	Standardized string to programmatically identify the error.
details	Details[]	Detailed errors.
innererror	string	More information to debug error.
message	string	Detailed error description and debugging information.
target	string	Detailed error description and debugging information.

Facebook

The configuration settings of the Facebook provider.

Name	Type	Description
enabled	boolean	false if the Facebook provider should not be enabled despite the set registration; otherwise, true.
graphApiVersion	string	The version of the Facebook api to be used while logging in.
login	LoginScopes	The configuration settings of the login flow.
registration	AppRegistration	The configuration settings of the app registration for the Facebook provider.

FileSystemTokenStore

The configuration settings of the storage of the tokens if a file system is used.

Name	Type	Description
directory	string	The directory in which the tokens will be stored.

ForwardProxy

The configuration settings of a forward proxy used to make the requests.

Name	Type	Description
convention	ForwardProxyConvention	The convention used to determine the url of the request made.
customHostHeaderName	string	The name of the header containing the host of the request.
customProtoHeaderName	string	The name of the header containing the scheme of the request.

ForwardProxyConvention

The convention used to determine the url of the request made.

Name	Type	Description
Custom	string
NoProxy	string
Standard	string

GitHub

The configuration settings of the GitHub provider.

Name	Type	Description
enabled	boolean	false if the GitHub provider should not be enabled despite the set registration; otherwise, true.
login	LoginScopes	The configuration settings of the login flow.
registration	ClientRegistration	The configuration settings of the app registration for the GitHub provider.

GlobalValidation

The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.

Name	Type	Description
excludedPaths	string[]	The paths for which unauthenticated flow would not be redirected to the login page.
redirectToProvider	string	The default authentication provider to use when multiple providers are configured. This setting is only needed if multiple providers are configured and the unauthenticated client action is set to "RedirectToLoginPage".
requireAuthentication	boolean	true if the authentication flow is required any request is made; otherwise, false.
unauthenticatedClientAction	UnauthenticatedClientActionV2	The action to take when an unauthenticated client attempts to access the app.

Google

The configuration settings of the Google provider.

Name	Type	Description
enabled	boolean	false if the Google provider should not be enabled despite the set registration; otherwise, true.
login	LoginScopes	The configuration settings of the login flow.
registration	ClientRegistration	The configuration settings of the app registration for the Google provider.
validation	AllowedAudiencesValidation	The configuration settings of the Azure Active Directory token validation flow.

HttpSettings

The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.

Name	Type	Description
forwardProxy	ForwardProxy	The configuration settings of a forward proxy used to make the requests.
requireHttps	boolean	false if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.
routes	HttpSettingsRoutes	The configuration settings of the paths HTTP requests.

HttpSettingsRoutes

The configuration settings of the paths HTTP requests.

Name	Type	Description
apiPrefix	string	The prefix that should precede all the authentication/authorization paths.

IdentityProviders

The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.

Name	Type	Description
apple	Apple	The configuration settings of the Apple provider.
azureActiveDirectory	AzureActiveDirectory	The configuration settings of the Azure Active directory provider.
azureStaticWebApps	AzureStaticWebApps	The configuration settings of the Azure Static Web Apps provider.
customOpenIdConnectProviders	<string,  CustomOpenIdConnectProvider>	The map of the name of the alias of each custom Open ID Connect provider to the configuration settings of the custom Open ID Connect provider.
facebook	Facebook	The configuration settings of the Facebook provider.
gitHub	GitHub	The configuration settings of the GitHub provider.
google	Google	The configuration settings of the Google provider.
legacyMicrosoftAccount	LegacyMicrosoftAccount	The configuration settings of the legacy Microsoft Account provider.
twitter	Twitter	The configuration settings of the Twitter provider.

JwtClaimChecks

The configuration settings of the checks that should be made while validating the JWT Claims.

Name	Type	Description
allowedClientApplications	string[]	The list of the allowed client applications.
allowedGroups	string[]	The list of the allowed groups.

LegacyMicrosoftAccount

The configuration settings of the legacy Microsoft Account provider.

Name	Type	Description
enabled	boolean	false if the legacy Microsoft Account provider should not be enabled despite the set registration; otherwise, true.
login	LoginScopes	The configuration settings of the login flow.
registration	ClientRegistration	The configuration settings of the app registration for the legacy Microsoft Account provider.
validation	AllowedAudiencesValidation	The configuration settings of the legacy Microsoft Account provider token validation flow.

Login

The configuration settings of the login flow of users using App Service Authentication/Authorization.

Name	Type	Description
allowedExternalRedirectUrls	string[]	External URLs that can be redirected to as part of logging in or logging out of the app. Note that the query string part of the URL is ignored. This is an advanced setting typically only needed by Windows Store application backends. Note that URLs within the current domain are always implicitly allowed.
cookieExpiration	CookieExpiration	The configuration settings of the session cookie's expiration.
nonce	Nonce	The configuration settings of the nonce used in the login flow.
preserveUrlFragmentsForLogins	boolean	true if the fragments from the request are preserved after the login request is made; otherwise, false.
routes	LoginRoutes	The routes that specify the endpoints used for login and logout requests.
tokenStore	TokenStore	The configuration settings of the token store.

LoginRoutes

The routes that specify the endpoints used for login and logout requests.

Name	Type	Description
logoutEndpoint	string	The endpoint at which a logout request should be made.

LoginScopes

The configuration settings of the login flow, including the scopes that should be requested.

Name	Type	Description
scopes	string[]	A list of the scopes that should be requested while authenticating.

Nonce

The configuration settings of the nonce used in the login flow.

Name	Type	Description
nonceExpirationInterval	string	The time after the request is made when the nonce should expire.
validateNonce	boolean	false if the nonce should not be validated while completing the login flow; otherwise, true.

OpenIdConnectClientCredential

The authentication client credentials of the custom Open ID Connect provider.

Name	Type	Description
clientSecretSettingName	string	The app setting that contains the client secret for the custom Open ID Connect provider.
method	ClientCredentialMethod	The method that should be used to authenticate the user.

OpenIdConnectConfig

The configuration settings of the endpoints used for the custom Open ID Connect provider.

Name	Type	Description
authorizationEndpoint	string	The endpoint to be used to make an authorization request.
certificationUri	string	The endpoint that provides the keys necessary to validate the token.
issuer	string	The endpoint that issues the token.
tokenEndpoint	string	The endpoint to be used to request a token.
wellKnownOpenIdConfiguration	string	The endpoint that contains all the configuration endpoints for the provider.

OpenIdConnectLogin

The configuration settings of the login flow of the custom Open ID Connect provider.

Name	Type	Description
nameClaimType	string	The name of the claim that contains the users name.
scopes	string[]	A list of the scopes that should be requested while authenticating.

OpenIdConnectRegistration

The configuration settings of the app registration for the custom Open ID Connect provider.

Name	Type	Description
clientCredential	OpenIdConnectClientCredential	The authentication credentials of the custom Open ID Connect provider.
clientId	string	The client id of the custom Open ID Connect provider.
openIdConnectConfiguration	OpenIdConnectConfig	The configuration settings of the endpoints used for the custom Open ID Connect provider.

SiteAuthSettingsV2

Configuration settings for the Azure App Service Authentication / Authorization V2 feature.

Name	Type	Description
id	string	Resource Id.
kind	string	Kind of resource.
name	string	Resource Name.
properties.globalValidation	GlobalValidation	The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.
properties.httpSettings	HttpSettings	The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.
properties.identityProviders	IdentityProviders	The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.
properties.login	Login	The configuration settings of the login flow of users using App Service Authentication/Authorization.
properties.platform	AuthPlatform	The configuration settings of the platform of App Service Authentication/Authorization.
type	string	Resource type.

TokenStore

The configuration settings of the token store.

Name	Type	Description
azureBlobStorage	BlobStorageTokenStore	The configuration settings of the storage of the tokens if blob storage is used.
enabled	boolean	true to durably store platform-specific security tokens that are obtained during login flows; otherwise, false. The default is false.
fileSystem	FileSystemTokenStore	The configuration settings of the storage of the tokens if a file system is used.
tokenRefreshExtensionHours	number	The number of hours after session token expiration that a session token can be used to call the token refresh API. The default is 72 hours.

Twitter

The configuration settings of the Twitter provider.

Name	Type	Description
enabled	boolean	false if the Twitter provider should not be enabled despite the set registration; otherwise, true.
registration	TwitterRegistration	The configuration settings of the app registration for the Twitter provider.

TwitterRegistration

The configuration settings of the app registration for the Twitter provider.

Name	Type	Description
consumerKey	string	The OAuth 1.0a consumer key of the Twitter application used for sign-in. This setting is required for enabling Twitter Sign-In. Twitter Sign-In documentation: https://dev.twitter.com/web/sign-in
consumerSecretSettingName	string	The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.

UnauthenticatedClientActionV2

The action to take when an unauthenticated client attempts to access the app.

Name	Type	Description
AllowAnonymous	string
RedirectToLoginPage	string
Return401	string
Return403	string