Events
17 Mar, 23 - 21 Mar, 23
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Starting June 1, 2024, newly created App Service apps can generate a unique default hostname that uses the naming convention <app-name>-<random-hash>.<region>.azurewebsites.net
. Existing app names remain unchanged. For example:
myapp-ds27dh7271aah175.westus-01.azurewebsites.net
For more information, see Unique Default Hostname for App Service Resource.
Learn how to enable authentication for your web app running on Azure App Service and limit access to users in your organization.
In this tutorial, you learn how to:
App Service provides built-in authentication and authorization support, so you can sign in users with no code in your web app. Using the optional App Service authentication/authorization module simplifies authentication and authorization for your app. When you're ready for custom authentication and authorization, you build on this architecture.
App service authentication provides:
When the authentication/authorization module is enabled, every incoming HTTP request passes through it before being handled by your app code. To learn more, see Authentication and authorization in Azure App Service.
If you don't have an Azure subscription, create an Azure free account before you begin.
For this tutorial, you need a web app deployed to App Service. You can use an existing web app, or you can follow one of the quickstarts to create and publish a new web app to App Service:
Whether you use an existing web app or create a new one, take note of the following:
You need these names throughout this tutorial.
Now that you have a web app running on App Service, enable authentication and authorization. You use Microsoft Entra as the identity provider. For more information, see Configure Microsoft Entra authentication for your App Service application.
In the Azure portal menu, select Resource groups, or search for and select Resource groups from any page.
In Resource groups, find and select your resource group. In Overview, select your app's management page.
On your app's left menu, select Authentication, and then select Add identity provider.
In the Add an identity provider page, select Microsoft as the Identity provider to sign in Microsoft and Microsoft Entra identities.
For Tenant type, select Workforce configuration (current tenant) for employees and business guests.
For App registration > App registration type, select Create new app registration to create a new app registration in Microsoft Entra.
Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in.
For Client secret expiration, select Recommended: 180 days.
For App registration > Supported account types, select Current tenant-single tenant so only users in your organization can sign in to the web app.
In the Additional checks section, select:
In the App Service authentication settings section, set:
At the bottom of the Add an identity provider page, select Add to enable authentication for your web app.
You now have an app that's secured by the App Service authentication and authorization.
Note
To allow accounts from other tenants, change the 'Issuer URL' to 'https://login.microsoftonline.com/common/v2.0' by editing your 'Identity Provider' from the 'Authentication' blade.
When you enabled the App Service authentication/authorization module in the previous section, an app registration was created in your workforce or external tenant. The app registration has the display name you created in a previous step.
To check the settings, sign in to the Microsoft Entra admin center as at least an Application Developer. If you chose external configuration, use the Settings icon in the top menu to switch to the external tenant with your web app from the Directories + subscriptions menu. When you are in the correct tenant:
Browse to Identity > Applications > App registrations and select Applications > App registrations from the menu.
Select the app registration that was created.
In the overview, verify that Supported account types is set to My organization only.
To verify that access to your app is limited to users in your organization, go to your web app Overview and select the Default domain link. Or, start a browser in incognito or private mode and go to https://<app-name>.azurewebsites.net
(see note at top).
You should be directed to a secured sign-in page, verifying that unauthenticated users aren't allowed access to the site.
Sign in as a user in your organization to gain access to the site. You can also start up a new browser and try to sign in by using a personal account to verify that users outside the organization don't have access.
If you completed all the steps in this multipart tutorial, you created an App Service, App Service hosting plan, and a storage account in a resource group. You also created an app registration in Microsoft Entra ID. If you chose external configuration, you may have created a new external tenant. When no longer needed, delete these resources and app registration so that you don't continue to accrue charges.
In this tutorial, you learn how to:
In the Azure portal, select Resource groups from the portal menu and select the resource group that contains your App Service and App Service plan.
Select Delete resource group to delete the resource group and all the resources.
This command might take several minutes to run.
In the Microsoft Entra admin center, select Applications > App registrations. Then select the application you created.
In the app registration overview, select Delete.
If you created a new external tenant, you can delete it. In to the Microsoft Entra admin center, browse to Identity > Overview > Manage tenants.
Select the tenant you want to delete, and then select Delete.
You might need to complete required actions before you can delete the tenant. For example, you might need to delete all user flows and app registrations in the tenant.
If you're ready to delete the tenant, select Delete.
In this tutorial, you learned how to:
Events
17 Mar, 23 - 21 Mar, 23
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Discover how Microsoft Entra External ID can provide secure, seamless sign-in experiences for your consumers and business customers. Explore tenant creation, app registration, flow customization, and account security.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.