az webapp auth

Manage webapp authentication and authorization. To use v2 auth commands, run "az extension add --name authV2" to add the authV2 CLI extension.

Commands

az webapp auth apple

Manage webapp authentication and authorization of the Apple identity provider.

az webapp auth apple show

Show the authentication settings for the Apple identity provider.

az webapp auth apple update

Update the client id and client secret for the Apple identity provider.

az webapp auth config-version

Manage the state of the configuration version for the authentication settings for the webapp. Configuration version v1 refers to the /authSettings endpoints whereas v2 refers to the /authSettingsV2 endpoints.

az webapp auth config-version revert

Reverts the configuration version of the authentication settings for the webapp from v2 to v1 (classic).

az webapp auth config-version show

Show the configuration version of the authentication settings for the webapp. Configuration version v1 refers to the /authSettings endpoints whereas v2 refers to the /authSettingsV2 endpoints.

az webapp auth config-version upgrade

Upgrades the configuration version of the authentication settings for the webapp from v1 (classic) to v2.

az webapp auth facebook

Manage webapp authentication and authorization of the Facebook identity provider.

az webapp auth facebook show

Show the authentication settings for the Facebook identity provider.

az webapp auth facebook update

Update the app id and app secret for the Facebook identity provider.

az webapp auth github

Manage webapp authentication and authorization of the GitHub identity provider.

az webapp auth github show

Show the authentication settings for the GitHub identity provider.

az webapp auth github update

Update the client id and client secret for the GitHub identity provider.

az webapp auth google

Manage webapp authentication and authorization of the Google identity provider.

az webapp auth google show

Show the authentication settings for the Google identity provider.

az webapp auth google update

Update the client id and client secret for the Google identity provider.

az webapp auth microsoft

Manage webapp authentication and authorization of the Microsoft identity provider.

az webapp auth microsoft show

Show the authentication settings for the Azure Active Directory identity provider.

az webapp auth microsoft update

Update the client id and client secret for the Azure Active Directory identity provider.

az webapp auth openid-connect

Manage webapp authentication and authorization of the custom OpenID Connect identity providers.

az webapp auth openid-connect add

Configure a new custom OpenID Connect identity provider.

az webapp auth openid-connect remove

Removes an existing custom OpenID Connect identity provider.

az webapp auth openid-connect show

Show the authentication settings for the custom OpenID Connect identity provider.

az webapp auth openid-connect update

Update the client id and client secret setting name for an existing custom OpenID Connect identity provider.

az webapp auth set

Sets the authentication settings for the webapp in the v2 format, overwriting any existing settings.

az webapp auth show

Show the authentification settings for the webapp.

az webapp auth twitter

Manage webapp authentication and authorization of the Twitter identity provider.

az webapp auth twitter show

Show the authentication settings for the Twitter identity provider.

az webapp auth twitter update

Update the consumer key and consumer secret for the Twitter identity provider.

az webapp auth update

Update the authentication settings for the webapp.

az webapp auth set

Sets the authentication settings for the webapp in the v2 format, overwriting any existing settings.

az webapp auth set [--body]
                   [--ids]
                   [--name]
                   [--resource-group]
                   [--slot]
                   [--subscription]

Examples

Set the json saved in file auth.json as the auth settings for the web app, overwriting any existing settings.

az webapp auth set -g myResourceGroup --name MyWebApp --body @auth.json

Optional Parameters

--body -b

JSON representation of the configuration settings for the Azure App Service Authentication / Authorization V2 feature.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the web app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az webapp auth show

Show the authentification settings for the webapp.

az webapp auth show [--ids]
                    [--name]
                    [--resource-group]
                    [--slot]
                    [--subscription]

Examples

Show the authentification settings for the webapp. (autogenerated)

az webapp auth show --name MyWebApp --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az webapp auth update

Update the authentication settings for the webapp.

az webapp auth update [--aad-allowed-token-audiences]
                      [--aad-client-id]
                      [--aad-client-secret]
                      [--aad-client-secret-certificate-thumbprint]
                      [--aad-token-issuer-url]
                      [--action {AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter}]
                      [--allowed-external-redirect-urls]
                      [--enabled {false, true}]
                      [--facebook-app-id]
                      [--facebook-app-secret]
                      [--facebook-oauth-scopes]
                      [--google-client-id]
                      [--google-client-secret]
                      [--google-oauth-scopes]
                      [--ids]
                      [--microsoft-account-client-id]
                      [--microsoft-account-client-secret]
                      [--microsoft-account-oauth-scopes]
                      [--name]
                      [--resource-group]
                      [--runtime-version]
                      [--slot]
                      [--subscription]
                      [--token-refresh-extension-hours]
                      [--token-store {false, true}]
                      [--twitter-consumer-key]
                      [--twitter-consumer-secret]

Examples

Enable AAD by enabling authentication and setting AAD-associated parameters. Default provider is set to AAD. Must have created a AAD service principal beforehand.

az webapp auth update  -g myResourceGroup -n myUniqueApp --enabled true \
  --action LoginWithAzureActiveDirectory \
  --aad-allowed-token-audiences https://webapp_name.azurewebsites.net/.auth/login/aad/callback \
  --aad-client-id ecbacb08-df8b-450d-82b3-3fced03f2b27 --aad-client-secret very_secret_password \
  --aad-token-issuer-url https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/

Allow Facebook authentication by setting FB-associated parameters and turning on public-profile and email scopes; allow anonymous users

az webapp auth update -g myResourceGroup -n myUniqueApp --action AllowAnonymous \
  --facebook-app-id my_fb_id --facebook-app-secret my_fb_secret \
  --facebook-oauth-scopes public_profile email

Optional Parameters

--aad-allowed-token-audiences

One or more token audiences (comma-delimited).

--aad-client-id

Application ID to integrate AAD organization account Sign-in into your web app.

--aad-client-secret

AAD application secret.

--aad-client-secret-certificate-thumbprint --thumbprint

Alternative to AAD Client Secret, thumbprint of a certificate used for signing purposes.

--aad-token-issuer-url

This url can be found in the JSON output returned from your active directory endpoint using your tenantID. The endpoint can be queried from az cloud show at "endpoints.activeDirectory". The tenantID can be found using az account show. Get the "issuer" from the JSON at //.well-known/openid-configuration.

--action
accepted values: AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter
--allowed-external-redirect-urls

One or more urls (space-delimited).

--enabled
accepted values: false, true
--facebook-app-id

Application ID to integrate Facebook Sign-in into your web app.

--facebook-app-secret

Facebook Application client secret.

--facebook-oauth-scopes

One or more facebook authentication scopes (comma-delimited).

--google-client-id

Application ID to integrate Google Sign-in into your web app.

--google-client-secret

Google Application client secret.

--google-oauth-scopes

One or more Google authentication scopes (space-delimited).

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--microsoft-account-client-id

AAD V2 Application ID to integrate Microsoft account Sign-in into your web app.

--microsoft-account-client-secret

AAD V2 Application client secret.

--microsoft-account-oauth-scopes

One or more Microsoft authentification scopes (comma-delimited).

--name -n

Name of the web app. If left unspecified, a name will be randomly generated. You can configure the default using az configure --defaults web=<name>.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--runtime-version

Runtime version of the Authentication/Authorization feature in use for the current app.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--token-refresh-extension-hours

Hours, must be formattable into a float.

--token-store

Use App Service Token Store.

accepted values: false, true
--twitter-consumer-key

Application ID to integrate Twitter Sign-in into your web app.

--twitter-consumer-secret

Twitter Application client secret.