Azure Web App/Function App Authentication and Authorization References

Here’s a dump of authentication related articles and blogs for Authentication and Authorization formerly known as Easy Auth. Note its always good to read through the comments of the blogs and forum post to get helpful tidbits you may have otherwise missed. If you find another article please feel free to leave a comment and I’ll add it to the list.

Main Doc:

Advanced Auth concepts and features:

OpenID Connect Integration


Chris’s blog:

This blog is rich with a TONNN of content and the comments are extremely useful:

Refreshing tokens with /.auth/Refresh

Understanding why refreshing with an access token doesn’t work (as of 7/2020 – could change in the future)

Getting Access tokens and using them with /.auth/me for client side apps and headers for your server side code

Advanced App Settings

Super helpful with some app settings that can make configurations work including how to have a warmup page that can bypass the authentication:

WEBSITE_WARMUP_PATHAny relative URL pathThis setting is intended for use when an unauthenticated client, such as Azure Traffic Manager or Azure App Service’s Always On feature, needs to access a specific path in the web app without requiring authentication. When set, any HTTP requests to the specified URL path will not be rejected by Easy Auth, regardless of the specified rules for unauthenticated clients.

Control the Auth Session Cookie timeout period: This app setting enables customers to control how long the cookie is valid for and when users will be forced to reauthenticate:
Value: hh:mm:ss

Application Gateway integration with Auth/Web Apps

Azure AD Dev Blog

This is unrelated to the app service auth but has a lot of helpful blogs from the AAD Dev Support team:

Authentication with other Tenants:

Access an Azure web app behind Auth using a bearer token


Random helpful hints:

  • If you are trying to use the /.auth/me endpoint but do not see a token in the format of ey…. make sure to add the additionalLoginParameters via Resource Explorer (see step 4-6 of my blog below)
  • In order to get access token and use the token store you must have a client secret configured
  • When calling /.auth/refresh, what for this call to complete with a 200 before calling /.auth/me to get the new token. You may run into a race condition otherwise if you do not wait