App Service Authentication and Networking
Enable built-in authentication providers (Entra ID, Google, GitHub) for your web app, and restrict inbound traffic using VNet Integration and access restrictions.
Built-In Authentication in App Service
Azure App Service provides a built-in authentication and authorisation module (sometimes called EasyAuth) that handles sign-in flows, token validation, and session management without any code changes to your application. You can enable it directly in the Azure portal and choose from multiple identity providers. This is ideal for quickly adding authentication to an API or internal tool without implementing OAuth flows yourself.
Supported Identity Providers
App Service authentication supports several identity providers out of the box: Microsoft Entra ID (for enterprise/corporate logins), Google, Facebook, Twitter/X, GitHub, and any OpenID Connect compatible provider. You register your app with the chosen provider to obtain a client ID and secret, then configure these in App Service. Multiple providers can be enabled simultaneously, letting users choose how to sign in.
# Enable Microsoft Entra ID authentication via CLI
az webapp auth microsoft update \
--name MyUniqueWebApp \
--resource-group MyRG \
--client-id '<Entra-App-Client-ID>' \
--client-secret '<Client-Secret>' \
--issuer 'https://sts.windows.net/<TenantId>/'
# Set action when unauthenticated (redirect or 401)
az webapp auth update \
--name MyUniqueWebApp \
--resource-group MyRG \
--unauthenticated-client-action RedirectToLoginPageAll lessons in this course
- Creating an App Service Plan and Web App
- Deployment Slots and Swap
- Autoscaling and Custom Domains
- App Service Authentication and Networking