Easy authentication with Azure App Service and Microsoft Entra External ID

Katherine Legg

Today, we’re excited to announce the public preview of an improved configuration experience when using Microsoft Entra External ID as an identity provider for Azure App Service’s built-in authentication, simplifying authentication and authorization for external-facing apps so you can focus on your application’s core features.

Implementing a secure solution for authentication (signing-in users) and authorization (providing access to secure data and resources) can take significant effort. You should make sure to follow industry best practices and keep your implementation up to date. The built-in authentication feature for Azure App Service and Azure Functions can save you time and effort by providing out-of-the-box authentication with a range of identity providers, allowing you to focus on the rest of your application.

A streamlined setup for External ID

Previously it was necessary to configure the external tenant before completing the App Service authentication configuration. This involved multiple steps:

  1. Register an app to establish a trust relationship between the App Service app and External ID, specify the redirect URI, generate a unique client ID, and configure a client secret.
  2. Create a user flow to define the sign-up and sign-in experience.
  3. Associate the app with the user flow so that it is used to authenticate app users.
  4. Optionally customize branding so that the sign-in experience for all the apps in your tenant matches the look and feel of your organization.
  5. Copy and paste values from multiple portal screens, and manually construct the issuer URL.

If you did any of these steps incorrectly, it was hard to debug, and you’d likely need to repeat the setup from scratch.

Now, you can complete this configuration directly from the App Service authentication setup without switching into the external tenant. We have created a guided wizard to create an app registration, user flow, and branding configuration for you, so you do not need to jump between multiple portal screens. Input is either automated or validated to avoid wasted effort or errors. The whole setup now takes minutes instead of hours, as shown in this demo video:

When to use App Service built-in authentication

Use built-in authentication to restrict access to your web app or API running in App Service, when:

  • You want less code to own and manage.
  • Your app’s language and SDKs don’t provide user sign-in or authorization.
  • You don’t have the ability to modify your app code (for example, when migrating legacy apps).
  • You need to handle authentication through configuration and not code.

You can read more about other authentication solutions available and when to use them in the App Service documentation.

Get started today

For comprehensive, step-by-step instructions on how to get started with App Service and External ID, check out the quickstart guide.

To learn more or test out other features in the Microsoft Entra portfolio, visit our developer center. Sign up for email updates on the Identity blog for more insights and to keep up with the latest on all things Identity, and follow us on YouTube for video overviews, tutorials, and deep dives.

We value your input

Our vision for the External ID integration with Azure App Service doesn’t stop here. We are dedicated to enhancing Microsoft security and identity products and your feedback will drive our innovation. Tell us what you think about the enhancements in this blog post, or join our research panel to receive occasional invitations to future studies.


Leave a comment

Feedback usabilla icon