Search code examples
azureazure-web-app-serviceazure-cli

Azure CLI - Configuring Web App Authentication (az webapp auth V2)

I'm trying to configure the Authentication settings for an Azure Web App using the Azure CLI.

The result of the configuration should appear as follows.

az webapp auth show --name WebAppName --resource-group ResourceGroup | ConvertFrom-Json

enter image description here

enter image description here

I am attempting to configure the settings using the following command:

az webapp auth update --name WebAppName --resource-group ResourceGroup --aad-allowed-token-audience '{api://[value]}' --aad-client-id [value] --action AllowAnonymous --token-store true --enabled true --aad-token-issuer-url 'https://sts.windows.net/[value]/v2.0' | ConvertFrom-Json

However, I can't set all of the required settings. When I check the configured setting in the Azure Portal, it states that the app has been configured using a legacy version and the settings must be upgraded before they can be edited.

Once an upgrade has been triggered, rerunning the Azure CLI will fail as the script would attempt to downgrade the configuration.

enter image description here

I have also noticed that manually configuring the Authentication settings adds a MICROSOFT_PROVIDER_AUTHENTICATION_SECRET application setting into the Web App Configuration.

I haven't been able to find anything helpful in the reference documentation.

https://learn.microsoft.com/en-us/cli/azure/webapp/auth?view=azure-cli-latest#az-webapp-auth-update

Does anyone have a clever way to configure this setting? Thanks!

Solution

  • The problem seems to be related to the version of the authentication API used by the Azure Web App. The V2 version of the API is necessary for the "Authentication" experience on the Azure portal, according to the MSDoc.

    However, an app that is already using the V1 API can upgrade to the V2 version with a few modifications. Secret configuration, in particular, must be transferred to slot-sticky application settings. This can be done automatically through the "Authentication" section of your app's site.

    enter image description here

    To convert the app to store identity provider secrets as application settings, follow the steps detailed in the above MS Doc.