This chapter covers App Service security and authentication, a critical area for the AZ-500 exam focusing on compute security (Objective 2.1). You will learn how to secure Azure App Service applications using authentication and authorization features, including integration with Azure AD, token handling, and network security. Expect around 10-15% of exam questions to touch on these concepts, often in scenarios involving managed identity, TLS settings, and access restrictions.
Jump to a section
Azure App Service authentication is like a hotel key card system. The hotel (App Service) has a front desk (authentication module) that checks every guest's key card (token) before they can enter rooms or use amenities. When you check in (first login), the front desk verifies your identity (against Azure AD, Facebook, etc.) and issues a key card with your details and expiration time. This key card is lightweight and fast to check—no need to call the central database every time. The hotel also has a back door for staff (service principals) who use special badges (client credentials) to access maintenance rooms (APIs) without guest login. If a guest loses their key card, they must go to the front desk to get a new one (refresh token). The hotel can revoke all key cards instantly if needed (token revocation). The front desk can also allow certain guests to enter the gym without a key card (anonymous access) but logs their entry anyway. This system keeps the hotel secure without slowing down every door check.
What is App Service Security and Authentication?
Azure App Service is a fully managed platform for building and hosting web apps, REST APIs, and mobile back ends. Security in App Service involves multiple layers: authentication (verifying user identity), authorization (controlling access to resources), network security (restricting inbound/outbound traffic), and data protection (encryption at rest and in transit). The AZ-500 exam specifically tests your ability to configure and manage these security features, especially the built-in authentication and authorization module, often referred to as EasyAuth.
Why EasyAuth Exists
Traditionally, developers had to implement authentication logic themselves using SDKs or middleware, which is error-prone and time-consuming. EasyAuth provides a turnkey solution that runs as a native IIS module or sidecar container (on Linux) in front of your application. It intercepts incoming HTTP requests before they reach your app code, validates tokens, and either allows the request, challenges the client, or injects identity headers. This means your app never directly handles tokens or passwords—reducing attack surface.
How EasyAuth Works Internally
When you enable authentication in App Service, you select one or more identity providers (Azure AD, Microsoft Account, Facebook, Google, Twitter, or any OpenID Connect provider). The App Service front-end layer (Front End or Azure Front Door) handles token validation. Here's the step-by-step mechanism:
Unauthenticated Request: A user visits https://myapp.azurewebsites.net. If authentication is enabled with "Login with Azure AD" as required, the request hits App Service. Since no authentication cookie or token is present, App Service returns an HTTP 302 redirect to the Azure AD authorize endpoint.
Authentication Flow: The user is redirected to Azure AD, where they log in. Azure AD returns an authorization code to a callback URL (e.g., /.auth/login/aad/callback). App Service exchanges this code for an ID token, access token, and refresh token.
Token Storage: App Service stores tokens in a secure token store (encrypted at rest) and sets an authentication cookie (AppServiceAuthSession) on the client's browser. Subsequent requests include this cookie, which App Service validates without contacting the provider.
Token Refresh: When tokens expire (default 1 hour for access tokens), App Service automatically uses the refresh token to obtain new ones. The refresh token lifetime is 14 days by default but can be configured.
Identity Headers: For authenticated requests, App Service injects HTTP headers like X-MS-CLIENT-PRINCIPAL-NAME and X-MS-CLIENT-PRINCIPAL-ID, which your app can read to identify the user. The full claims are available in /.auth/me endpoint.
Key Components, Values, Defaults, and Timers
Authentication Providers: Azure AD, Microsoft, Facebook, Google, Twitter, and generic OpenID Connect. For Azure AD, you must register an application in Azure AD and configure the tenant ID, client ID, and client secret.
Token Store: Enabled by default. Stores tokens in an encrypted file system on the App Service instance. You can disable it if not needed.
Session Cookie: AppServiceAuthSession – a secure, HTTP-only cookie. Its expiration is tied to the session token.
Token Refresh: Automatic when enabled. The refresh token cookie (AppServiceAuthSession) is used to fetch new tokens. If the refresh token expires, user must re-authenticate.
Allowed External Redirect URLs: You must configure valid redirect URIs in the identity provider, e.g., https://myapp.azurewebsites.net/.auth/login/aad/callback.
Unauthenticated Request Action: Two options: "Log in with [provider]" (redirect) or "Allow anonymous requests (no action)". The second option lets your app handle authentication itself.
Managed Identity: Instead of using client secrets, you can enable system-assigned or user-assigned managed identity on the App Service and use it to authenticate to Azure AD without storing credentials.
Configuration and Verification Commands
You can configure authentication via Azure portal, Azure CLI, or ARM templates. Example Azure CLI:
# Enable Azure AD authentication
az webapp auth update --resource-group myRG --name myApp --enabled true \
--action LoginWithAzureActiveDirectory \
--aad-client-id <client-id> --aad-client-secret <secret> --aad-token-store true
# Show current auth settings
az webapp auth show --resource-group myRG --name myApp
# Get token from /.auth/me
curl -X GET https://myapp.azurewebsites.net/.auth/me -H "Cookie: AppServiceAuthSession=<cookie>"Interaction with Related Technologies
Azure AD B2C: App Service can integrate with B2C for customer-facing apps. Configuration is similar to Azure AD but uses a B2C tenant.
App Service Access Restrictions: You can combine authentication with IP address restrictions. For example, allow only authenticated users from specific IP ranges.
Virtual Network Integration: For outbound traffic, App Service can use VNet integration to access resources behind a firewall. Authentication tokens can be used to authorize calls to APIs.
Key Vault: Store client secrets in Key Vault and reference them via Key Vault references in App Settings, avoiding hardcoded secrets.
Managed Identity for Backend Access
Managed identity is a key feature for secure backend access. When enabled, Azure automatically creates a service principal in Azure AD for the App Service. Your code can acquire tokens for other Azure resources (like Key Vault, SQL Database, or Storage) without storing any credentials. Example C# code:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var client = new SecretClient(new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential());
KeyVaultSecret secret = await client.GetSecretAsync("mySecret");The DefaultAzureCredential automatically uses the managed identity when running in App Service.
TLS and SSL Settings
App Service supports TLS 1.2 and 1.3 by default. You can enforce minimum TLS version via portal or CLI:
az webapp config set --resource-group myRG --name myApp --min-tls-version 1.2HTTPS Only can be enforced to redirect HTTP to HTTPS. Also, you can use App Service certificates, upload your own, or use Azure Key Vault for SSL binding.
Cross-Origin Resource Sharing (CORS)
CORS allows your API to be called from a different domain. Configure allowed origins in App Service. This is not a security feature per se but can be misused if overly permissive. Best practice: allow only specific domains.
Authentication Flow with Multiple Providers
You can enable multiple providers. Users choose which one to log in with. The token store stores tokens from each provider. The /.auth/me endpoint returns claims from the provider used to authenticate.
Common Misconfigurations
Not enabling token store when needed for backend API calls.
Using client secret in app settings instead of Key Vault.
Leaving "Allow anonymous requests" enabled when you intend to require authentication.
Not configuring CORS properly, leading to blocked requests.
Exam-Relevant Details
EasyAuth runs as a native module on Windows (IIS) and as a sidecar on Linux.
The token store is encrypted at rest using the App Service's file system.
Refresh tokens are valid for 14 days by default, configurable via the identity provider.
Managed identity can be system-assigned (one per App Service) or user-assigned (shared across resources).
The /.auth/login endpoint initiates login, /.auth/logout ends the session.
You can use Azure AD v1 or v2 endpoints; v2 supports more scenarios like B2C and personal accounts.
Security Best Practices
Always use HTTPS and enforce minimum TLS 1.2.
Use managed identity instead of client secrets when possible.
Store secrets in Key Vault and use Key Vault references.
Restrict network access using Access Restrictions and VNet integration.
Regularly rotate client secrets and certificates.
Monitor authentication logs using Azure Monitor and App Service diagnostics.
Enable Authentication in App Service
In the Azure portal, navigate to your App Service > Authentication. Click 'Add identity provider' and select Azure AD. You must provide the client ID and client secret from an Azure AD app registration. Optionally, you can enable token storage. The action to take when request is not authenticated: choose 'Log in with Azure Active Directory' to redirect unauthenticated users to the login page, or 'Allow anonymous requests' if your app handles authentication. This step configures the EasyAuth module to intercept requests.
Configure Azure AD App Registration
In Azure AD, register an application for your App Service. Set the redirect URI to `https://your-app-name.azurewebsites.net/.auth/login/aad/callback`. Generate a client secret (or use a certificate). Note the tenant ID, client ID, and client secret. These values are entered in the App Service authentication settings. Ensure the app registration has appropriate permissions (e.g., User.Read for basic profile). The secret must be stored securely, preferably in Key Vault.
Use Managed Identity for Backend Access
Enable system-assigned managed identity on the App Service (under Identity > System assigned > On). This creates a service principal in Azure AD. Grant this identity permissions to Azure resources, e.g., assign Reader role to Key Vault or Contributor to Storage Account. In your application code, use Azure Identity SDK (e.g., `DefaultAzureCredential`) to acquire tokens. No secrets are stored. This step is critical for secure backend communication without managing credentials.
Enforce HTTPS and TLS Version
Under App Service > TLS/SSL settings, set 'HTTPS Only' to On. For 'Minimum TLS Version', select 1.2. This ensures all traffic is encrypted and uses a secure protocol. You can also bind a custom domain with an SSL certificate (App Service Managed Certificate, Azure Key Vault, or uploaded). Enforcing TLS 1.2 is a common exam requirement for compliance (e.g., PCI DSS).
Restrict Network Access with Access Restrictions
Under App Service > Networking > Access Restrictions, add rules to allow or deny traffic based on source IP or VNet. For example, deny all traffic except from a specific IP range or a VNet. This is often used for internal APIs. Rules are evaluated in priority order. You can also integrate with Azure Front Door or Application Gateway for additional security.
Enterprise Scenario 1: Internal Corporate Application
A company develops a web app for employee expense reporting. They need to restrict access to employees only and ensure that the app can read user profile data from Azure AD. They enable Azure AD authentication in App Service with 'Login with Azure Active Directory' and 'Allow unauthenticated requests' set to redirect. They register an app in Azure AD with User.Read permission. They also enable system-assigned managed identity so that the app can access a backend SQL database using Azure AD authentication. The app uses the managed identity token to connect to the database without storing any credentials. To further secure the app, they enforce HTTPS only and TLS 1.2. They also configure Access Restrictions to allow traffic only from the corporate office IP range and the company VPN. This setup ensures that only authenticated employees from trusted networks can access the application, and backend connections are secure.
Enterprise Scenario 2: Multi-Tenant SaaS Application
A SaaS provider hosts a customer-facing portal on App Service. They use Azure AD B2C for customer identity management. They configure multiple identity providers (local accounts, Google, Facebook) in B2C and integrate with App Service using OpenID Connect. The App Service authentication module is set to 'Allow anonymous requests' because the app handles routing to different B2C policies based on the URL. The app uses the /.auth/me endpoint to retrieve claims. They also use user-assigned managed identity for each tenant's backend storage account to ensure isolation. Performance considerations: token validation adds latency, so they cache tokens in memory. They also use Azure Front Door for global load balancing and DDoS protection. A common misconfiguration here is not setting the correct redirect URIs in B2C, causing login failures.
Common Pitfalls
Secret Exposure: Developers often hardcode client secrets in app settings or code. Best practice is to use Key Vault references or managed identity. In production, secrets should be rotated every 90 days.
Token Store Disabled: If token store is disabled, the app cannot use refresh tokens or access the /.auth/me endpoint. This breaks scenarios where the app needs to call downstream APIs.
CORS Misconfiguration: Allowing all origins (*) in CORS can lead to data exposure. Always restrict to specific domains.
Ignoring TLS Version: Using TLS 1.0 or 1.1 is a security risk and fails compliance audits. Enforce 1.2 at minimum.
What AZ-500 Tests on This Topic
The exam objectives under Compute Security (Objective 2.1) include: configure authentication for Azure App Services, implement managed identity, configure TLS settings, and configure network access restrictions. Specific skills measured:
Configure App Service authentication (EasyAuth) for different providers.
Enable and use managed identity for secure resource access.
Configure HTTPS and TLS versions.
Implement IP restrictions and VNet integration.
Common Wrong Answers and Why Candidates Choose Them
'You must implement authentication in application code' – Many candidates think EasyAuth is optional and that custom code is required. In reality, EasyAuth can handle authentication entirely, reducing code complexity. The exam expects you to know that EasyAuth is the recommended approach.
'Managed identity requires storing a secret in the app settings' – This is false. Managed identity eliminates the need for secrets entirely. Candidates confuse it with service principal authentication.
'Token store must be disabled for security' – Some believe storing tokens on the server is insecure. In fact, the token store is encrypted and essential for refresh token functionality. Disabling it breaks downstream calls.
'Access Restrictions can only be based on IP addresses' – While IP-based rules are common, VNet and service tag rules are also supported. The exam may test that you can restrict traffic from a specific VNet.
Specific Numbers and Terms That Appear on the Exam
Default refresh token lifetime: 14 days (configurable at identity provider).
Minimum TLS version: 1.2 (commonly required for compliance).
Authentication endpoints: /.auth/login, /.auth/logout, /.auth/me.
Managed identity types: System-assigned (1:1 with resource) and User-assigned (shared).
Access restriction priority: 100-65535, with 100 being highest priority.
Edge Cases and Exceptions
Linux App Service: EasyAuth runs as a sidecar container. Token store is still available but uses a different mechanism.
Function Apps: Same EasyAuth module applies to Azure Functions.
Multiple Authentication Providers: If multiple providers are enabled, the first successful login determines the provider for the session.
Custom OpenID Connect Provider: You can configure any OIDC provider, but you must provide the issuer URL, client ID, and secret.
How to Eliminate Wrong Answers
If a question asks about securing backend connections without credentials, look for managed identity as the answer.
If a question involves token refresh, ensure token store is enabled.
For network security, remember that Access Restrictions can be IP-based or VNet-based.
For TLS, the answer is always 1.2 or higher if compliance is mentioned.
EasyAuth is a built-in authentication module that runs before your app code, requiring no code changes.
Token store must be enabled for automatic token refresh and access to /.auth/me endpoint.
Managed identity allows secure access to Azure resources without storing any credentials.
Enforce HTTPS Only and minimum TLS version 1.2 for compliance and security.
Access Restrictions can filter traffic by IP address, VNet, or service tag.
App Service authentication supports Azure AD, Microsoft, Facebook, Google, Twitter, and generic OpenID Connect.
Default refresh token lifetime is 14 days, configurable at the identity provider.
These come up on the exam all the time. Here's how to tell them apart.
App Service Authentication (EasyAuth)
No code changes required in the app.
Handles token validation, refresh, and session management automatically.
Supports multiple identity providers out of the box.
Runs as a native module, adding minimal latency.
Token store is encrypted and managed by Azure.
Custom Authentication in Application Code
Full control over authentication logic.
Requires implementing token handling, refresh, and storage.
More flexible for custom scenarios (e.g., multi-tenancy).
More development effort and maintenance.
Higher risk of security misconfigurations.
Mistake
EasyAuth only works with Azure AD.
Correct
EasyAuth supports multiple providers: Azure AD, Microsoft Account, Facebook, Google, Twitter, and any OpenID Connect provider.
Mistake
You must write code to handle token refresh.
Correct
EasyAuth automatically refreshes tokens using the refresh token, as long as the token store is enabled.
Mistake
Managed identity requires a client secret to be configured in the app.
Correct
Managed identity eliminates the need for any secrets. Azure automatically manages the identity credentials.
Mistake
Access Restrictions only support IP address rules.
Correct
Access Restrictions also support VNet and service tag rules, allowing you to restrict traffic from specific virtual networks or Azure services.
Mistake
Disabling the token store improves security.
Correct
Disabling the token store prevents token refresh and access to the /.auth/me endpoint, breaking functionality. The token store is encrypted and secure.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, go to your App Service, select Authentication, click 'Add identity provider', choose Azure AD (or other), and provide the client ID and secret from an Azure AD app registration. Set the action for unauthenticated requests to 'Log in with Azure AD' or 'Allow anonymous requests'. Save. This enables the EasyAuth module.
System-assigned managed identity is created for a specific resource (e.g., an App Service) and has a 1:1 relationship. It is deleted when the resource is deleted. User-assigned managed identity is a standalone Azure resource that can be assigned to multiple resources. It persists independently. Both provide an identity for your app without secrets.
Yes. You need to configure the custom domain in App Service and update the redirect URIs in the identity provider to include the custom domain, e.g., `https://customdomain.com/.auth/login/aad/callback`. Also ensure SSL/TLS certificate is bound to the custom domain.
Token refresh is automatic when the token store is enabled. The EasyAuth module uses the refresh token stored in the token store to obtain new access tokens before they expire. No code is needed. The refresh token lifetime is typically 14 days, after which the user must re-authenticate.
If the token store is disabled, the App Service will not store tokens. The `/.auth/me` endpoint will not return claims, and automatic token refresh will not work. The user must authenticate on every request if session cookies are not used. This is generally not recommended unless you handle tokens entirely in your application.
Combine authentication with Access Restrictions. First, enable authentication (e.g., Azure AD) and set the unauthenticated action to 'Log in with Azure AD'. Then, under Networking > Access Restrictions, add a rule to allow traffic from the desired IP range and a deny-all rule with lower priority. This ensures only authenticated users from the allowed IPs can access the app.
Yes. In the Authentication settings, you can add multiple identity providers. Users can choose which one to log in with. The first successful login determines the provider for the session. The token store will store tokens from that provider.
You've just covered App Service Security and Authentication — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?