Today, we’re excited to announce the public preview of an improved configuration experience when using Microsoft Entra External ID as an identity provider for Azure App Service’s built-in authentication, simplifying authentication and authorization for external-facing apps so you can focus on your application’s core features.
Implementing a secure solution for authentication (signing-in users) and authorization (providing access to secure data and resources) can take significant effort. You should make sure to follow industry best practices and keep your implementation up to date. The built-in authentication feature for Azure App Service and Azure Functions can save you time and effort by providing out-of-the-box authentication with a range of identity providers, allowing you to focus on the rest of your application.
A streamlined setup for External ID
Previously it was necessary to configure the external tenant before completing the App Service authentication configuration. This involved multiple steps:
- Register an app to establish a trust relationship between the App Service app and External ID, specify the redirect URI, generate a unique client ID, and configure a client secret.
- Create a user flow to define the sign-up and sign-in experience.
- Associate the app with the user flow so that it is used to authenticate app users.
- Optionally customize branding so that the sign-in experience for all the apps in your tenant matches the look and feel of your organization.
- Copy and paste values from multiple portal screens, and manually construct the issuer URL.
If you did any of these steps incorrectly, it was hard to debug, and you’d likely need to repeat the setup from scratch.
Now, you can complete this configuration directly from the App Service authentication setup without switching into the external tenant. We have created a guided wizard to create an app registration, user flow, and branding configuration for you, so you do not need to jump between multiple portal screens. Input is either automated or validated to avoid wasted effort or errors. The whole setup now takes minutes instead of hours, as shown in this demo video:
When to use App Service built-in authentication
Use built-in authentication to restrict access to your web app or API running in App Service, when:
- You want less code to own and manage.
- Your app’s language and SDKs don’t provide user sign-in or authorization.
- You don’t have the ability to modify your app code (for example, when migrating legacy apps).
- You need to handle authentication through configuration and not code.
You can read more about other authentication solutions available and when to use them in the App Service documentation.
Get started today
For comprehensive, step-by-step instructions on how to get started with App Service and External ID, check out the quickstart guide.
To learn more or test out other features in the Microsoft Entra portfolio, visit our developer center. Sign up for email updates on the Identity blog for more insights and to keep up with the latest on all things Identity, and follow us on YouTube for video overviews, tutorials, and deep dives.
We value your input
Our vision for the External ID integration with Azure App Service doesn’t stop here. We are dedicated to enhancing Microsoft security and identity products and your feedback will drive our innovation. Tell us what you think about the enhancements in this blog post, or join our research panel to receive occasional invitations to future studies.
Is this the process one would use to use for authentication on a Power Pages site?
No, but you can set up Microsoft Entra External ID as an OpenID Connect provider in Power Pages, more details: https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-settings
It’s rare to see Entra External ID in the wild. Any news on general availability date?
In case you didn’t see the announcement, Microsoft Entra External ID will GA on May 15, more details in this blog: https://devblogs.microsoft.com/identity/external-id-ga/
The Microsoft Entra External ID GA date has not been announced yet, but you can subscribe below to stay informed of the latest news.
Is it possible to protect only specific pages?
Yes, App Service can be used for authentication with or without restricting access to your site content and APIs, however you will have to write code to customize this. More details are available in the documentation: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#considerations-for-using-built-in-authentication
You may also find the excluded paths configuration option useful if you’re able to do file-based configuration: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-file-based#configuration-file-reference