Web Apps - Get Auth Settings V2
Description for Gets site's Authentication / Authorization settings for apps via the V2 format
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/authsettingsV2/list?api-version=2024-04-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
name
|
path | True |
string |
Name of the app. |
resource
|
path | True |
string |
Name of the resource group to which the resource belongs. Regex pattern: |
subscription
|
path | True |
string |
Your Azure subscription ID. This is a GUID-formatted string (e.g. 00000000-0000-0000-0000-000000000000). |
api-version
|
query | True |
string |
API Version |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK |
|
Other Status Codes |
App Service error response. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
List Auth Settings V2
Sample request
Sample response
{
"id": "/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab345/resourceGroups/testrg123/providers/Microsoft.Web/sites/sitef6141/config/authsettingsv2",
"name": "authsettingsv2",
"type": "Microsoft.Web/sites/authsettingsv2",
"kind": "app",
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1",
"configFilePath": "/auth/config.json"
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "Return403",
"excludedPaths": [
"/nosecrets/Path"
]
},
"identityProviders": {
"google": {
"enabled": true,
"registration": {
"clientId": "42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com",
"clientSecretSettingName": "ClientSecret"
},
"login": {
"scopes": [
"admin"
]
},
"validation": {
"allowedAudiences": [
"https://example.com"
]
}
}
},
"login": {
"routes": {
"logoutEndpoint": "https://app.com/logout"
},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 96,
"fileSystem": {
"directory": "/wwwroot/sites/example"
}
},
"preserveUrlFragmentsForLogins": true,
"allowedExternalRedirectUrls": [
"https://someurl.com"
],
"cookieExpiration": {
"convention": "IdentityProviderDerived",
"timeToExpiration": "2022:09-01T00:00Z"
},
"nonce": {
"validateNonce": true
}
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/authv2/"
},
"forwardProxy": {
"convention": "Standard",
"customHostHeaderName": "authHeader",
"customProtoHeaderName": "customProtoHeader"
}
}
}
}
Definitions
Name | Description |
---|---|
Allowed |
The configuration settings of the Allowed Audiences validation flow. |
Allowed |
The configuration settings of the Azure Active Directory allowed principals. |
Apple |
The configuration settings of the Apple provider. |
Apple |
The configuration settings of the registration for the Apple provider |
App |
The configuration settings of the app registration for providers that have app ids and app secrets |
Auth |
The configuration settings of the platform of App Service Authentication/Authorization. |
Azure |
The configuration settings of the Azure Active directory provider. |
Azure |
The configuration settings of the Azure Active Directory login flow. |
Azure |
The configuration settings of the Azure Active Directory app registration. |
Azure |
The configuration settings of the Azure Active Directory token validation flow. |
Azure |
The configuration settings of the Azure Static Web Apps provider. |
Azure |
The configuration settings of the registration for the Azure Static Web Apps provider |
Blob |
The configuration settings of the storage of the tokens if blob storage is used. |
Client |
The method that should be used to authenticate the user. |
Client |
The configuration settings of the app registration for providers that have client ids and client secrets |
Cookie |
The configuration settings of the session cookie's expiration. |
Cookie |
The convention used when determining the session cookie's expiration. |
Custom |
The configuration settings of the custom Open ID Connect provider. |
Default |
The configuration settings of the Azure Active Directory default authorization policy. |
Default |
App Service error response. |
Details | |
Error |
Error model. |
The configuration settings of the Facebook provider. |
|
File |
The configuration settings of the storage of the tokens if a file system is used. |
Forward |
The configuration settings of a forward proxy used to make the requests. |
Forward |
The convention used to determine the url of the request made. |
Git |
The configuration settings of the GitHub provider. |
Global |
The configuration settings that determines the validation flow of users using App Service Authentication/Authorization. |
The configuration settings of the Google provider. |
|
Http |
The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization. |
Http |
The configuration settings of the paths HTTP requests. |
Identity |
The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization. |
Jwt |
The configuration settings of the checks that should be made while validating the JWT Claims. |
Legacy |
The configuration settings of the legacy Microsoft Account provider. |
Login |
The configuration settings of the login flow of users using App Service Authentication/Authorization. |
Login |
The routes that specify the endpoints used for login and logout requests. |
Login |
The configuration settings of the login flow, including the scopes that should be requested. |
Nonce |
The configuration settings of the nonce used in the login flow. |
Open |
The authentication client credentials of the custom Open ID Connect provider. |
Open |
The configuration settings of the endpoints used for the custom Open ID Connect provider. |
Open |
The configuration settings of the login flow of the custom Open ID Connect provider. |
Open |
The configuration settings of the app registration for the custom Open ID Connect provider. |
Site |
Configuration settings for the Azure App Service Authentication / Authorization V2 feature. |
Token |
The configuration settings of the token store. |
The configuration settings of the Twitter provider. |
|
Twitter |
The configuration settings of the app registration for the Twitter provider. |
Unauthenticated |
The action to take when an unauthenticated client attempts to access the app. |
AllowedAudiencesValidation
The configuration settings of the Allowed Audiences validation flow.
Name | Type | Description |
---|---|---|
allowedAudiences |
string[] |
The configuration settings of the allowed list of audiences from which to validate the JWT token. |
AllowedPrincipals
The configuration settings of the Azure Active Directory allowed principals.
Name | Type | Description |
---|---|---|
groups |
string[] |
The list of the allowed groups. |
identities |
string[] |
The list of the allowed identities. |
Apple
The configuration settings of the Apple provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
login |
The configuration settings of the login flow. |
|
registration |
The configuration settings of the Apple registration. |
AppleRegistration
The configuration settings of the registration for the Apple provider
Name | Type | Description |
---|---|---|
clientId |
string |
The Client ID of the app used for login. |
clientSecretSettingName |
string |
The app setting name that contains the client secret. |
AppRegistration
The configuration settings of the app registration for providers that have app ids and app secrets
Name | Type | Description |
---|---|---|
appId |
string |
The App ID of the app used for login. |
appSecretSettingName |
string |
The app setting name that contains the app secret. |
AuthPlatform
The configuration settings of the platform of App Service Authentication/Authorization.
Name | Type | Description |
---|---|---|
configFilePath |
string |
The path of the config file containing auth settings if they come from a file. If the path is relative, base will the site's root directory. |
enabled |
boolean |
|
runtimeVersion |
string |
The RuntimeVersion of the Authentication / Authorization feature in use for the current app. The setting in this value can control the behavior of certain features in the Authentication / Authorization module. |
AzureActiveDirectory
The configuration settings of the Azure Active directory provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
isAutoProvisioned |
boolean |
Gets a value indicating whether the Azure AD configuration was auto-provisioned using 1st party tooling. This is an internal flag primarily intended to support the Azure Management Portal. Users should not read or write to this property. |
login |
The configuration settings of the Azure Active Directory login flow. |
|
registration |
The configuration settings of the Azure Active Directory app registration. |
|
validation |
The configuration settings of the Azure Active Directory token validation flow. |
AzureActiveDirectoryLogin
The configuration settings of the Azure Active Directory login flow.
Name | Type | Description |
---|---|---|
disableWWWAuthenticate |
boolean |
|
loginParameters |
string[] |
Login parameters to send to the OpenID Connect authorization endpoint when a user logs in. Each parameter must be in the form "key=value". |
AzureActiveDirectoryRegistration
The configuration settings of the Azure Active Directory app registration.
Name | Type | Description |
---|---|---|
clientId |
string |
The Client ID of this relying party application, known as the client_id. This setting is required for enabling OpenID Connection authentication with Azure Active Directory or other 3rd party OpenID Connect providers. More information on OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html |
clientSecretCertificateIssuer |
string |
An alternative to the client secret thumbprint, that is the issuer of a certificate used for signing purposes. This property acts as a replacement for the Client Secret Certificate Thumbprint. It is also optional. |
clientSecretCertificateSubjectAlternativeName |
string |
An alternative to the client secret thumbprint, that is the subject alternative name of a certificate used for signing purposes. This property acts as a replacement for the Client Secret Certificate Thumbprint. It is also optional. |
clientSecretCertificateThumbprint |
string |
An alternative to the client secret, that is the thumbprint of a certificate used for signing purposes. This property acts as a replacement for the Client Secret. It is also optional. |
clientSecretSettingName |
string |
The app setting name that contains the client secret of the relying party application. |
openIdIssuer |
string |
The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application. When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://login.microsoftonline.com/v2.0/{tenant-guid}/. This URI is a case-sensitive identifier for the token issuer. More information on OpenID Connect Discovery: http://openid.net/specs/openid-connect-discovery-1_0.html |
AzureActiveDirectoryValidation
The configuration settings of the Azure Active Directory token validation flow.
Name | Type | Description |
---|---|---|
allowedAudiences |
string[] |
The list of audiences that can make successful authentication/authorization requests. |
defaultAuthorizationPolicy |
The configuration settings of the default authorization policy. |
|
jwtClaimChecks |
The configuration settings of the checks that should be made while validating the JWT Claims. |
AzureStaticWebApps
The configuration settings of the Azure Static Web Apps provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
registration |
The configuration settings of the Azure Static Web Apps registration. |
AzureStaticWebAppsRegistration
The configuration settings of the registration for the Azure Static Web Apps provider
Name | Type | Description |
---|---|---|
clientId |
string |
The Client ID of the app used for login. |
BlobStorageTokenStore
The configuration settings of the storage of the tokens if blob storage is used.
Name | Type | Description |
---|---|---|
sasUrlSettingName |
string |
The name of the app setting containing the SAS URL of the blob storage containing the tokens. |
ClientCredentialMethod
The method that should be used to authenticate the user.
Name | Type | Description |
---|---|---|
ClientSecretPost |
string |
ClientRegistration
The configuration settings of the app registration for providers that have client ids and client secrets
Name | Type | Description |
---|---|---|
clientId |
string |
The Client ID of the app used for login. |
clientSecretSettingName |
string |
The app setting name that contains the client secret. |
CookieExpiration
The configuration settings of the session cookie's expiration.
Name | Type | Description |
---|---|---|
convention |
The convention used when determining the session cookie's expiration. |
|
timeToExpiration |
string |
The time after the request is made when the session cookie should expire. |
CookieExpirationConvention
The convention used when determining the session cookie's expiration.
Name | Type | Description |
---|---|---|
FixedTime |
string |
|
IdentityProviderDerived |
string |
CustomOpenIdConnectProvider
The configuration settings of the custom Open ID Connect provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
login |
The configuration settings of the login flow of the custom Open ID Connect provider. |
|
registration |
The configuration settings of the app registration for the custom Open ID Connect provider. |
DefaultAuthorizationPolicy
The configuration settings of the Azure Active Directory default authorization policy.
Name | Type | Description |
---|---|---|
allowedApplications |
string[] |
The configuration settings of the Azure Active Directory allowed applications. |
allowedPrincipals |
The configuration settings of the Azure Active Directory allowed principals. |
DefaultErrorResponse
App Service error response.
Name | Type | Description |
---|---|---|
error |
Error model. |
Details
Name | Type | Description |
---|---|---|
code |
string |
Standardized string to programmatically identify the error. |
message |
string |
Detailed error description and debugging information. |
target |
string |
Detailed error description and debugging information. |
Error
Error model.
Name | Type | Description |
---|---|---|
code |
string |
Standardized string to programmatically identify the error. |
details |
Details[] |
Detailed errors. |
innererror |
string |
More information to debug error. |
message |
string |
Detailed error description and debugging information. |
target |
string |
Detailed error description and debugging information. |
The configuration settings of the Facebook provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
graphApiVersion |
string |
The version of the Facebook api to be used while logging in. |
login |
The configuration settings of the login flow. |
|
registration |
The configuration settings of the app registration for the Facebook provider. |
FileSystemTokenStore
The configuration settings of the storage of the tokens if a file system is used.
Name | Type | Description |
---|---|---|
directory |
string |
The directory in which the tokens will be stored. |
ForwardProxy
The configuration settings of a forward proxy used to make the requests.
Name | Type | Description |
---|---|---|
convention |
The convention used to determine the url of the request made. |
|
customHostHeaderName |
string |
The name of the header containing the host of the request. |
customProtoHeaderName |
string |
The name of the header containing the scheme of the request. |
ForwardProxyConvention
The convention used to determine the url of the request made.
Name | Type | Description |
---|---|---|
Custom |
string |
|
NoProxy |
string |
|
Standard |
string |
GitHub
The configuration settings of the GitHub provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
login |
The configuration settings of the login flow. |
|
registration |
The configuration settings of the app registration for the GitHub provider. |
GlobalValidation
The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.
Name | Type | Description |
---|---|---|
excludedPaths |
string[] |
The paths for which unauthenticated flow would not be redirected to the login page. |
redirectToProvider |
string |
The default authentication provider to use when multiple providers are configured. This setting is only needed if multiple providers are configured and the unauthenticated client action is set to "RedirectToLoginPage". |
requireAuthentication |
boolean |
|
unauthenticatedClientAction |
The action to take when an unauthenticated client attempts to access the app. |
The configuration settings of the Google provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
login |
The configuration settings of the login flow. |
|
registration |
The configuration settings of the app registration for the Google provider. |
|
validation |
The configuration settings of the Azure Active Directory token validation flow. |
HttpSettings
The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.
Name | Type | Description |
---|---|---|
forwardProxy |
The configuration settings of a forward proxy used to make the requests. |
|
requireHttps |
boolean |
|
routes |
The configuration settings of the paths HTTP requests. |
HttpSettingsRoutes
The configuration settings of the paths HTTP requests.
Name | Type | Description |
---|---|---|
apiPrefix |
string |
The prefix that should precede all the authentication/authorization paths. |
IdentityProviders
The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.
Name | Type | Description |
---|---|---|
apple |
The configuration settings of the Apple provider. |
|
azureActiveDirectory |
The configuration settings of the Azure Active directory provider. |
|
azureStaticWebApps |
The configuration settings of the Azure Static Web Apps provider. |
|
customOpenIdConnectProviders |
<string,
Custom |
The map of the name of the alias of each custom Open ID Connect provider to the configuration settings of the custom Open ID Connect provider. |
The configuration settings of the Facebook provider. |
||
gitHub |
The configuration settings of the GitHub provider. |
|
The configuration settings of the Google provider. |
||
legacyMicrosoftAccount |
The configuration settings of the legacy Microsoft Account provider. |
|
The configuration settings of the Twitter provider. |
JwtClaimChecks
The configuration settings of the checks that should be made while validating the JWT Claims.
Name | Type | Description |
---|---|---|
allowedClientApplications |
string[] |
The list of the allowed client applications. |
allowedGroups |
string[] |
The list of the allowed groups. |
LegacyMicrosoftAccount
The configuration settings of the legacy Microsoft Account provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
login |
The configuration settings of the login flow. |
|
registration |
The configuration settings of the app registration for the legacy Microsoft Account provider. |
|
validation |
The configuration settings of the legacy Microsoft Account provider token validation flow. |
Login
The configuration settings of the login flow of users using App Service Authentication/Authorization.
Name | Type | Description |
---|---|---|
allowedExternalRedirectUrls |
string[] |
External URLs that can be redirected to as part of logging in or logging out of the app. Note that the query string part of the URL is ignored. This is an advanced setting typically only needed by Windows Store application backends. Note that URLs within the current domain are always implicitly allowed. |
cookieExpiration |
The configuration settings of the session cookie's expiration. |
|
nonce |
The configuration settings of the nonce used in the login flow. |
|
preserveUrlFragmentsForLogins |
boolean |
|
routes |
The routes that specify the endpoints used for login and logout requests. |
|
tokenStore |
The configuration settings of the token store. |
LoginRoutes
The routes that specify the endpoints used for login and logout requests.
Name | Type | Description |
---|---|---|
logoutEndpoint |
string |
The endpoint at which a logout request should be made. |
LoginScopes
The configuration settings of the login flow, including the scopes that should be requested.
Name | Type | Description |
---|---|---|
scopes |
string[] |
A list of the scopes that should be requested while authenticating. |
Nonce
The configuration settings of the nonce used in the login flow.
Name | Type | Description |
---|---|---|
nonceExpirationInterval |
string |
The time after the request is made when the nonce should expire. |
validateNonce |
boolean |
|
OpenIdConnectClientCredential
The authentication client credentials of the custom Open ID Connect provider.
Name | Type | Description |
---|---|---|
clientSecretSettingName |
string |
The app setting that contains the client secret for the custom Open ID Connect provider. |
method |
The method that should be used to authenticate the user. |
OpenIdConnectConfig
The configuration settings of the endpoints used for the custom Open ID Connect provider.
Name | Type | Description |
---|---|---|
authorizationEndpoint |
string |
The endpoint to be used to make an authorization request. |
certificationUri |
string |
The endpoint that provides the keys necessary to validate the token. |
issuer |
string |
The endpoint that issues the token. |
tokenEndpoint |
string |
The endpoint to be used to request a token. |
wellKnownOpenIdConfiguration |
string |
The endpoint that contains all the configuration endpoints for the provider. |
OpenIdConnectLogin
The configuration settings of the login flow of the custom Open ID Connect provider.
Name | Type | Description |
---|---|---|
nameClaimType |
string |
The name of the claim that contains the users name. |
scopes |
string[] |
A list of the scopes that should be requested while authenticating. |
OpenIdConnectRegistration
The configuration settings of the app registration for the custom Open ID Connect provider.
Name | Type | Description |
---|---|---|
clientCredential |
The authentication credentials of the custom Open ID Connect provider. |
|
clientId |
string |
The client id of the custom Open ID Connect provider. |
openIdConnectConfiguration |
The configuration settings of the endpoints used for the custom Open ID Connect provider. |
SiteAuthSettingsV2
Configuration settings for the Azure App Service Authentication / Authorization V2 feature.
Name | Type | Description |
---|---|---|
id |
string |
Resource Id. |
kind |
string |
Kind of resource. |
name |
string |
Resource Name. |
properties.globalValidation |
The configuration settings that determines the validation flow of users using App Service Authentication/Authorization. |
|
properties.httpSettings |
The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization. |
|
properties.identityProviders |
The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization. |
|
properties.login |
The configuration settings of the login flow of users using App Service Authentication/Authorization. |
|
properties.platform |
The configuration settings of the platform of App Service Authentication/Authorization. |
|
type |
string |
Resource type. |
TokenStore
The configuration settings of the token store.
Name | Type | Description |
---|---|---|
azureBlobStorage |
The configuration settings of the storage of the tokens if blob storage is used. |
|
enabled |
boolean |
|
fileSystem |
The configuration settings of the storage of the tokens if a file system is used. |
|
tokenRefreshExtensionHours |
number |
The number of hours after session token expiration that a session token can be used to call the token refresh API. The default is 72 hours. |
The configuration settings of the Twitter provider.
Name | Type | Description |
---|---|---|
enabled |
boolean |
|
registration |
The configuration settings of the app registration for the Twitter provider. |
TwitterRegistration
The configuration settings of the app registration for the Twitter provider.
Name | Type | Description |
---|---|---|
consumerKey |
string |
The OAuth 1.0a consumer key of the Twitter application used for sign-in. This setting is required for enabling Twitter Sign-In. Twitter Sign-In documentation: https://dev.twitter.com/web/sign-in |
consumerSecretSettingName |
string |
The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. |
UnauthenticatedClientActionV2
The action to take when an unauthenticated client attempts to access the app.
Name | Type | Description |
---|---|---|
AllowAnonymous |
string |
|
RedirectToLoginPage |
string |
|
Return401 |
string |
|
Return403 |
string |