az webapp auth
Note
This command group has commands that are defined in both Azure CLI and at least one extension. Install each extension to benefit from its extended capabilities. Learn more about extensions.
Manage webapp authentication and authorization. To use v2 auth commands, run "az extension add --name authV2" to add the authV2 CLI extension.
Commands
Name | Description | Type | Status |
---|---|---|---|
az webapp auth apple |
Manage webapp authentication and authorization of the Apple identity provider. |
Extension | GA |
az webapp auth apple show |
Show the authentication settings for the Apple identity provider. |
Extension | GA |
az webapp auth apple update |
Update the client id and client secret for the Apple identity provider. |
Extension | GA |
az webapp auth config-version |
Manage the state of the configuration version for the authentication settings for the webapp. Configuration version v1 refers to the /authSettings endpoints whereas v2 refers to the /authSettingsV2 endpoints. |
Extension | GA |
az webapp auth config-version revert |
Reverts the configuration version of the authentication settings for the webapp from v2 to v1 (classic). |
Extension | GA |
az webapp auth config-version show |
Show the configuration version of the authentication settings for the webapp. Configuration version v1 refers to the /authSettings endpoints whereas v2 refers to the /authSettingsV2 endpoints. |
Extension | GA |
az webapp auth config-version upgrade |
Upgrades the configuration version of the authentication settings for the webapp from v1 (classic) to v2. |
Extension | GA |
az webapp auth facebook |
Manage webapp authentication and authorization of the Facebook identity provider. |
Extension | GA |
az webapp auth facebook show |
Show the authentication settings for the Facebook identity provider. |
Extension | GA |
az webapp auth facebook update |
Update the app id and app secret for the Facebook identity provider. |
Extension | GA |
az webapp auth github |
Manage webapp authentication and authorization of the GitHub identity provider. |
Extension | GA |
az webapp auth github show |
Show the authentication settings for the GitHub identity provider. |
Extension | GA |
az webapp auth github update |
Update the client id and client secret for the GitHub identity provider. |
Extension | GA |
az webapp auth google |
Manage webapp authentication and authorization of the Google identity provider. |
Extension | GA |
az webapp auth google show |
Show the authentication settings for the Google identity provider. |
Extension | GA |
az webapp auth google update |
Update the client id and client secret for the Google identity provider. |
Extension | GA |
az webapp auth microsoft |
Manage webapp authentication and authorization of the Microsoft identity provider. |
Extension | GA |
az webapp auth microsoft show |
Show the authentication settings for the Azure Active Directory identity provider. |
Extension | GA |
az webapp auth microsoft update |
Update the client id and client secret for the Azure Active Directory identity provider. |
Extension | GA |
az webapp auth openid-connect |
Manage webapp authentication and authorization of the custom OpenID Connect identity providers. |
Extension | GA |
az webapp auth openid-connect add |
Configure a new custom OpenID Connect identity provider. |
Extension | GA |
az webapp auth openid-connect remove |
Removes an existing custom OpenID Connect identity provider. |
Extension | GA |
az webapp auth openid-connect show |
Show the authentication settings for the custom OpenID Connect identity provider. |
Extension | GA |
az webapp auth openid-connect update |
Update the client id and client secret setting name for an existing custom OpenID Connect identity provider. |
Extension | GA |
az webapp auth set |
Sets the authentication settings for the webapp in the v2 format, overwriting any existing settings. |
Extension | GA |
az webapp auth show |
Show the authentification settings for the webapp. |
Core | GA |
az webapp auth show (authV2 extension) |
Show the authentication settings for the webapp in the v2 format. |
Extension | GA |
az webapp auth twitter |
Manage webapp authentication and authorization of the Twitter identity provider. |
Extension | GA |
az webapp auth twitter show |
Show the authentication settings for the Twitter identity provider. |
Extension | GA |
az webapp auth twitter update |
Update the consumer key and consumer secret for the Twitter identity provider. |
Extension | GA |
az webapp auth update |
Update the authentication settings for the webapp. |
Core | GA |
az webapp auth update (authV2 extension) |
Update the authentication settings for the webapp in the v2 format. |
Extension | GA |
az webapp auth set
Sets the authentication settings for the webapp in the v2 format, overwriting any existing settings.
az webapp auth set [--body]
[--ids]
[--name]
[--resource-group]
[--slot]
[--subscription]
Examples
Set the json saved in file auth.json as the auth settings for the web app, overwriting any existing settings.
az webapp auth set -g myResourceGroup --name MyWebApp --body @auth.json
Optional Parameters
JSON representation of the configuration settings for the Azure App Service Authentication / Authorization V2 feature.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the web app.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp auth show
Show the authentification settings for the webapp.
az webapp auth show [--ids]
[--name]
[--resource-group]
[--slot]
[--subscription]
Examples
Show the authentification settings for the webapp. (autogenerated)
az webapp auth show --name MyWebApp --resource-group MyResourceGroup
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp auth show (authV2 extension)
Show the authentication settings for the webapp in the v2 format.
az webapp auth show [--ids]
[--name]
[--resource-group]
[--slot]
[--subscription]
Examples
Show the authentication settings for the webapp. (autogenerated)
az webapp auth show --name MyWebApp --resource-group MyResourceGroup
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the web app.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp auth update
Update the authentication settings for the webapp.
az webapp auth update [--aad-allowed-token-audiences]
[--aad-client-id]
[--aad-client-secret]
[--aad-client-secret-certificate-thumbprint]
[--aad-token-issuer-url]
[--action {AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter}]
[--allowed-external-redirect-urls]
[--enabled {false, true}]
[--facebook-app-id]
[--facebook-app-secret]
[--facebook-oauth-scopes]
[--google-client-id]
[--google-client-secret]
[--google-oauth-scopes]
[--ids]
[--microsoft-account-client-id]
[--microsoft-account-client-secret]
[--microsoft-account-oauth-scopes]
[--name]
[--resource-group]
[--runtime-version]
[--slot]
[--subscription]
[--token-refresh-extension-hours]
[--token-store {false, true}]
[--twitter-consumer-key]
[--twitter-consumer-secret]
Examples
Enable AAD by enabling authentication and setting AAD-associated parameters. Default provider is set to AAD. Must have created a AAD service principal beforehand.
az webapp auth update -g myResourceGroup -n myUniqueApp --enabled true \
--action LoginWithAzureActiveDirectory \
--aad-allowed-token-audiences https://webapp_name.azurewebsites.net/.auth/login/aad/callback \
--aad-client-id ecbacb08-df8b-450d-82b3-3fced03f2b27 --aad-client-secret very_secret_password \
--aad-token-issuer-url https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/
Allow Facebook authentication by setting FB-associated parameters and turning on public-profile and email scopes; allow anonymous users
az webapp auth update -g myResourceGroup -n myUniqueApp --action AllowAnonymous \
--facebook-app-id my_fb_id --facebook-app-secret my_fb_secret \
--facebook-oauth-scopes public_profile email
Optional Parameters
One or more token audiences (comma-delimited).
Application ID to integrate AAD organization account Sign-in into your web app.
AAD application secret.
Alternative to AAD Client Secret, thumbprint of a certificate used for signing purposes.
This url can be found in the JSON output returned from your active directory endpoint using your tenantID. The endpoint can be queried from az cloud show
at "endpoints.activeDirectory". The tenantID can be found using az account show
. Get the "issuer" from the JSON at //.well-known/openid-configuration.
One or more urls (space-delimited).
Application ID to integrate Facebook Sign-in into your web app.
Facebook Application client secret.
One or more facebook authentication scopes (comma-delimited).
Application ID to integrate Google Sign-in into your web app.
Google Application client secret.
One or more Google authentication scopes (space-delimited).
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
AAD V2 Application ID to integrate Microsoft account Sign-in into your web app.
AAD V2 Application client secret.
One or more Microsoft authentification scopes (comma-delimited).
Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>
.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Runtime version of the Authentication/Authorization feature in use for the current app.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Hours, must be formattable into a float.
Use App Service Token Store.
Application ID to integrate Twitter Sign-in into your web app.
Twitter Application client secret.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az webapp auth update (authV2 extension)
Update the authentication settings for the webapp in the v2 format.
az webapp auth update [--action {AllowAnonymous, RedirectToLoginPage, Return401, Return403, Return404}]
[--config-file-path]
[--custom-host-header]
[--custom-proto-header]
[--enable-token-store {false, true}]
[--enabled {false, true}]
[--excluded-paths]
[--ids]
[--name]
[--proxy-convention {Custom, NoProxy, Standard}]
[--redirect-provider]
[--require-https {false, true}]
[--resource-group]
[--runtime-version]
[--set]
[--slot]
[--subscription]
Examples
Update the client ID of the AAD provider already configured
az webapp auth update -g myResourceGroup --name MyWebApp --set identityProviders.azureActiveDirectory.registration.clientId=my-client-id
Pin the runtime version of the app to 1.4.7
az webapp auth update -g myResourceGroup --name MyWebApp --runtime-version 1.4.7
Configure the app with file based authentication by setting the config file path
az webapp auth update -g myResourceGroup --name MyWebApp --config-file-path D:\home\site\wwwroot\auth.json
Configure the app to allow unauthenticated requests to hit the app.
az webapp auth update -g myResourceGroup --name MyWebApp --unauthenticated-client-action AllowAnonymous
Configure the app to redirect unauthenticated requests to the Facebook provider
az webapp auth update -g myResourceGroup --name MyWebApp --redirect-provider Facebook
Configure the app to listen to the forward headers X-FORWARDED-HOST and X-FORWARDED-PROTO
az webapp auth update -g myResourceGroup --name MyWebApp --proxy-convention Standard
Optional Parameters
The action to take when an unauthenticated client attempts to access the app.
The path of the config file containing auth settings if they come from a file.
The name of the header containing the host of the request.
The name of the header containing the scheme of the request.
True to durably store platform-specific security tokens that are obtained during login flows; otherwise, false.
True if the Authentication / Authorization feature is enabled for the current app; otherwise, false.
The list of paths that should be excluded from authentication rules.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the web app.
The convention used to determine the url of the request made.
The default authentication provider to use when multiple providers are configured.
False if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
The RuntimeVersion of the Authentication / Authorization feature in use for the current app.
Value of a specific field within the configuration settings for the Azure App Service Authentication / Authorization V2 feature.
The name of the slot. Default to the productions slot if not specified.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.