Share via


az webapp auth-classic

Note

This reference is part of the authV2 extension for the Azure CLI (version 2.23.0 or higher). The extension will automatically install the first time you run an az webapp auth-classic command. Learn more about extensions.

Manage webapp authentication and authorization in the classic format.

Commands

Name Description Type Status
az webapp auth-classic show

Show the authentication settings for the webapp in the classic format.

Extension GA
az webapp auth-classic update

Update the authentication settings for the webapp in the classic format.

Extension GA

az webapp auth-classic show

Show the authentication settings for the webapp in the classic format.

az webapp auth-classic show [--ids]
                            [--name]
                            [--resource-group]
                            [--slot]
                            [--subscription]

Examples

Show the authentication settings for the webapp. (autogenerated)

az webapp auth-classic show --name MyWebApp --resource-group MyResourceGroup

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Name of the web app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az webapp auth-classic update

Update the authentication settings for the webapp in the classic format.

Note that authentication settings are no longer returned as a result. Please use the az webapp auth-classic show command to view setting values.

az webapp auth-classic update [--aad-allowed-token-audiences]
                              [--aad-client-id]
                              [--aad-client-secret]
                              [--aad-client-secret-certificate-thumbprint]
                              [--aad-client-secret-setting-name]
                              [--aad-token-issuer-url]
                              [--action {AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter}]
                              [--allowed-redirect-urls]
                              [--enabled {false, true}]
                              [--facebook-app-id]
                              [--facebook-app-secret]
                              [--facebook-app-secret-setting-name]
                              [--facebook-oauth-scopes]
                              [--github-client-id]
                              [--github-client-secret]
                              [--github-client-secret-setting-name]
                              [--github-oauth-scopes]
                              [--google-client-id]
                              [--google-client-secret]
                              [--google-client-secret-setting-name]
                              [--google-oauth-scopes]
                              [--ids]
                              [--microsoft-account-client-id]
                              [--microsoft-account-client-secret]
                              [--microsoft-account-client-secret-setting-name]
                              [--microsoft-account-oauth-scopes]
                              [--name]
                              [--resource-group]
                              [--runtime-version]
                              [--slot]
                              [--subscription]
                              [--token-refresh-extension-hours]
                              [--token-store {false, true}]
                              [--twitter-consumer-key]
                              [--twitter-consumer-secret]
                              [--twitter-consumer-secret-setting-name]

Examples

Enable Azure Active Directory by enabling authentication and setting Azure Active Directory-associated parameters. Default provider is set to AAD. Must have created a AAD service principal beforehand.

az webapp auth-classic update  -g myResourceGroup --name MyWebApp --enabled true \
  --action LoginWithAzureActiveDirectory \
  --aad-allowed-token-audiences https://webapp_name.azurewebsites.net/.auth/login/aad/callback \
  --aad-client-id my-client-id --aad-client-secret very_secret_password \
  --aad-token-issuer-url https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/

Enable Facebook authentication by setting FB-associated parameters and turning on public-profile and email scopes; allow anonymous users

az webapp auth-classic update -g myResourceGroup --name MyWebApp --action AllowAnonymous \
  --facebook-app-id my_fb_id --facebook-app-secret my_fb_secret \
  --facebook-oauth-scopes public_profile email

Optional Parameters

--aad-allowed-token-audiences --allowed-audiences

One or more token audiences (space-delimited).

--aad-client-id

Application ID to integrate AAD organization account Sign-in into your web app.

--aad-client-secret

AAD application secret.

--aad-client-secret-certificate-thumbprint --thumbprint

Alternative to AAD Client Secret, thumbprint of a certificate used for signing purposes.

--aad-client-secret-setting-name --aad-secret-setting

The app setting name that contains the client secret of the relying party application.

--aad-token-issuer-url

This url can be found in the JSON output returned from your active directory endpoint using your tenantID. The endpoint can be queried from az cloud show at "endpoints.activeDirectory". The tenantID can be found using az account show. Get the "issuer" from the JSON at //.well-known/openid-configuration.

--action

The action to take when an unauthenticated client attempts to access the app.

Accepted values: AllowAnonymous, LoginWithAzureActiveDirectory, LoginWithFacebook, LoginWithGoogle, LoginWithMicrosoftAccount, LoginWithTwitter
--allowed-redirect-urls

One or more urls (space-delimited).

--enabled

True if the Authentication / Authorization feature is enabled for the current app; otherwise, false.

Accepted values: false, true
--facebook-app-id

Application ID to integrate Facebook Sign-in into your web app.

--facebook-app-secret

Facebook Application client secret.

--facebook-app-secret-setting-name --fb-secret-setting

The app setting name that contains the app secret used for Facebook Login.

--facebook-oauth-scopes

One or more facebook authentication scopes (space-delimited).

--github-client-id

The Client Id of the GitHub app used for login.

--github-client-secret

The Client Secret of the GitHub app used for login.

--github-client-secret-setting-name --github-secret-setting

The app setting name that contains the client secret of the Github app used for GitHub Login.

--github-oauth-scopes --github-scopes

The OAuth 2.0 scopes that will be requested as part of GitHub Login authentication.

--google-client-id

Application ID to integrate Google Sign-in into your web app.

--google-client-secret

Google Application client secret.

--google-client-secret-setting-name --google-secret-setting

The app setting name that contains the client secret associated with the Google web application.

--google-oauth-scopes

One or more Google authentication scopes (space-delimited).

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--microsoft-account-client-id --msa-client

AAD V2 Application ID to integrate Microsoft account Sign-in into your web app.

--microsoft-account-client-secret --msa-secret

AAD V2 Application client secret.

--microsoft-account-client-secret-setting-name --msa-secret-setting

The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication.

--microsoft-account-oauth-scopes --msa-scopes

One or more Microsoft authentification scopes (space-delimited).

--name -n

Name of the web app.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--runtime-version

Runtime version of the Authentication/Authorization feature in use for the current app.

--slot -s

The name of the slot. Default to the productions slot if not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--token-refresh-extension-hours --token-refresh-hours

Hours, must be formattable into a float.

--token-store

Use App Service Token Store.

Accepted values: false, true
--twitter-consumer-key

Application ID to integrate Twitter Sign-in into your web app.

--twitter-consumer-secret --twitter-secret

Twitter Application client secret.

--twitter-consumer-secret-setting-name --twitter-secret-setting

The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.