-
Notifications
You must be signed in to change notification settings - Fork 218
Deploying to App Services
If you have simple scenarios, such as signing-in users in my organization and/or calling an API, you can use App Services authentication. In Microsoft.Identity.Web versions 1.2.0 and later, for these simple scenarios, the same code for your web app will work seamlessly with or without EasyAuth. Your web app can sign-in users and possibly call web APIs or Microsoft Graph. Indeed, Microsoft.Identity.Web now detects that the app is hosted in App Services, and uses that authentication. You can still sign-in users, and you can call web APIs provided you enabled them in App Services. For details on how to do that, see this tutorial: Configure App Service to return a usable access token.
Normally your app should not need to know if it's hosted in App Services with Authentication or not, but if you want to propose a different UI, it can call AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled
to detect it.
Note that when Microsoft.Identity.Web detects EasyAuth, it automatically overrides the default authentication scheme to be AppServicesAuthenticationDefaults.AppServicesAuthenticationDefaults
, and uses this scheme instead of the OpenIdConnect
scheme. If you configure the OpenID Connect scheme, you might want to guard this configuration code with tests using AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled
. But if you do so, you might have an advanced scenario, and therefore we recommend you disable App Services authentication (see below).
When you deploy your web app or web API to Azure web services and have advanced code, like configuring OpenID Connect or cookies, make sure that you turn off the App Services authentication, even if the message in App Services tells you that anonymous access is enabled. Indeed it is enabled at that level, but your web app or web API is protected by Microsoft.identity.Web.
If you turned on App Services authentication and also customized OpenID Connect settings, the authentication will not work.
If you choose to deploy your web app in Linux containers (without enabling App Services authentication), you'll also need to use forwarded headers. For details see Deploying web apps to App Services as Linux containers.
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities