Secure your App Service app

Completed

Azure App Service provides built-in authentication and authorization support. You can sign in users and access data by writing minimal or no code in your web app, API, and mobile backend, and also your Azure Functions apps.

Secure authentication and authorization require deep understanding of security, including federation, encryption, JSON web tokens (JWT) management, grant types, and so on. App Service provides these utilities so you can spend more time and energy on providing business value to your customer.

Note

You aren't required to use Azure App Service for authentication and authorization. Many web frameworks are bundled with security features, and you can use your preferred service.

Things to know about app security with App Service

Let's take a closer look at how App Service helps you provide security for your app.

  • The authentication and authorization security module in Azure App Service runs in the same environment as your application code, yet separately.

  • The security module is configured by using app settings. No SDKs, specific languages, or changes to your application code are required.

  • When you enable the security module, every incoming HTTP request passes through the module before it's handled by your application code.

  • The security module handles several tasks for your app:

    • Authenticate users with the specified provider
    • Validate, store, and refresh tokens
    • Manage the authenticated session
    • Inject identity information into request headers

Things to consider when using App Service for app security

You configure authentication and authorization security in App Service by selecting features In the Azure portal. Review the following options and think about what security can benefit your App Service apps implementation.

  • Allow Anonymous requests (no action). Defer authorization of unauthenticated traffic to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers. This feature provides more flexibility for handling anonymous requests. With this feature, you can present multiple sign-in providers to your users.

  • Allow only authenticated requests. Redirect all anonymous requests to /.auth/login/<provider> for the provider you choose. The feature is equivalent to Log in with <provider>. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized message. With this feature, you don't need to write any authentication code in your app.

    Important

    This feature restricts access to all calls to your app. Restricting access to all calls might not be desirable if your app requires a public home page, as is the case for many single-page apps.

  • Logging and tracing. View authentication and authorization traces directly in your log files. If you see an authentication error that you didn’t expect, you can conveniently find all the details by looking in your existing application logs. If you enable failed request tracing, you can see exactly how the security module participated in a failed request. In the trace logs, look for references to a module named EasyAuthModule_32/64.