az webapp auth update --excluded-path silently truncates or misparses path value

[vienleidl]

Describe the bug

The az webapp auth update command appears to corrupt the value of --excluded-path.

Specifically, when I provide:
--excluded-path "/health"

the resulting configuration in authsettingsV2 shows:
"excludedPaths": ["healt"]

• The leading slash / is dropped.
• The last character h is also missing.

This causes the exclusion to fail and authentication to be enforced on /health requests, breaking health checks and other unauthenticated probes.

Related command

az webapp auth update `
  --resource-group MyResourceGroup `
  --name my-webapp `
  --enabled true `
  --action RedirectToLoginPage `
  --excluded-path **"/health"**

Errors

N/A

Issue script & Debug output

az webapp auth update `
  --resource-group "xxx" `
  --name xxx `
  --enabled true `
  --action RedirectToLoginPage `
  --excluded-path "/health"

The behavior of this command has been altered by the following extension: authV2

{
  "clearInboundClaimsMapping": "false",
  "globalValidation": {
    **"excludedPaths": [
      "healt"
    ],**
    "redirectToProvider": "azureactivedirectory",
    "requireAuthentication": true,
    "unauthenticatedClientAction": "RedirectToLoginPage"
  },
  "httpSettings": {
    "forwardProxy": {
      "convention": "NoProxy"
    },
    "requireHttps": true,
    "routes": {
      "apiPrefix": "/.auth"
    }
  },
  "identityProviders": {
    "apple": {
      "enabled": true,
      "login": {},
      "registration": {}
    },
    "azureActiveDirectory": {
      "enabled": true,
      "isAutoProvisioned": true,
      "login": {
        "disableWWWAuthenticate": false
      },
      "registration": {
        "clientId": "xxx",
        "openIdIssuer": "https://sts.windows.net/xxx/v2.0"
      },
      "validation": {
        "allowedAudiences": [
          "api://xxx"
        ],
        "defaultAuthorizationPolicy": {
          "allowedPrincipals": {}
        },
        "jwtClaimChecks": {}
      }
    },
    "facebook": {
      "enabled": true,
      "login": {},
      "registration": {}
    },
    "gitHub": {
      "enabled": true,
      "login": {},
      "registration": {}
    },
    "google": {
      "enabled": true,
      "login": {},
      "registration": {},
      "validation": {}
    },
    "legacyMicrosoftAccount": {
      "enabled": true,
      "login": {},
      "registration": {},
      "validation": {}
    },
    "twitter": {
      "enabled": true,
      "registration": {}
    }
  },
  "login": {
    "cookieExpiration": {
      "convention": "FixedTime",
      "timeToExpiration": "08:00:00"
    },
    "nonce": {
      "nonceExpirationInterval": "00:05:00",
      "validateNonce": true
    },
    "preserveUrlFragmentsForLogins": false,
    "routes": {},
    "tokenStore": {
      "azureBlobStorage": {},
      "enabled": true,
      "fileSystem": {},
      "tokenRefreshExtensionHours": 72.0
    }
  },
  "platform": {
    "enabled": true,
    "runtimeVersion": "~1"
  }
}

Expected behavior

The path /health should be correctly set under globalValidation.excludedPaths:

"globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "RedirectToLoginPage",
      "redirectToProvider": "azureactivedirectory",
      "excludedPaths": [
        "/health"
      ]
    },

Environment Summary

{
  "azure-cli": "2.75.0",
  "azure-cli-core": "2.75.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "aks-preview": "4.0.0b4",
    "authV2": "1.0.0",
    "azure-devops": "1.0.1",
    "containerapp": "1.2.0b1"
  }
}

Additional context

• This occurs consistently.
• I am using the authV2 extension.
• I suspect there is a bug in argument parsing or serialization.

[azure-client-tools-bot-prd]

Hi @vienleidl,

2.67.0 is not the latest Azure CLI(2.75.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp, @yutanglin16.

[vienleidl]

Hi @vienleidl,

2.67.0 is not the latest Azure CLI(2.75.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

It still happens on the latest Azure CLI, let me update the issue description.

{
  "azure-cli": "2.75.0",
  "azure-cli-core": "2.75.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "aks-preview": "4.0.0b4",
    "authV2": "1.0.0",
    "azure-devops": "1.0.1",
    "containerapp": "1.2.0b1"
  }
}

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp, @yutanglin16.

[csheldon-kag]

Here is a possible workaround can be performed with leading / trailing spaces similar to:
az webapp auth update -g <your-resource-group --name <your-app-service-name --excluded-paths " /swagger,/swagger/* "

I suspect the problem lies within how the parsing of the string is being handled.

[iyerusad]

I am seeing same issue - az cli both local (latest/just installed) and cloud session mangling the provided data:

PS> az webapp auth update --resource-group mygroup --name myapp --excluded-paths /home/index,/,/About
The behavior of this command has been altered by the following extension: authV2
{
  "clearInboundClaimsMapping": "false",
  "globalValidation": {
    "excludedPaths": [
      "home/index",
      "/",
      "/Abou"
    ],

🎉🎉 Can confirm using " entry1,entry2 " trick mentioned above leads to successful input/workaround:

PS> az webapp auth update --resource-group mygroup --name myapp --excluded-paths " /home/index,/Home/Index,/,/About "
The behavior of this command has been altered by the following extension: authV2
{
  "clearInboundClaimsMapping": "false",
  "globalValidation": {
    "excludedPaths": [
      "/home/index",
      "/Home/Index",
      "/",
      "/About"
    ],
    "redirectToProvider": "azureactivedirectory",

PS> az --version
azure-cli 2.75.0

core 2.75.0
telemetry 1.1.0

Extensions:
authV2 1.0.0

Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\User.azure'
Extensions directory 'C:\Users\User.azure\cliextensions'

Python (Windows) 3.12.10 (tags/v3.12.10:0cc8128, Apr 8 2025, 12:21:36) [MSC v.1943 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

[DReidFaculty]

Just hit this issue with the authV2 extension enabled.

Line 162 of https://github.com/Azure/azure-cli-extensions/blob/main/src/authV2/azext_authV2/custom.py looks sus:

excluded_paths_list_string = excluded_paths[1:-1]

[twitthoeft-gls]

@DReidFaculty - Yes L162 is sus indeed. Looks like it presume it will be a list [] and is blindly slicing of the first and last chars so that a single string like /health becomes healt. We should check if it is a list first, and only then slice.

One thing I notice, OP said they used excluded-path but the docs say the argument is plurally named excluded-paths

If it always expects a list, perhaps we should just send it a list of one? Pad it with brackets ... --excluded-paths "[/health]"
That feels more natural than padding with spaces " entry1,entry2 "

Longterm, the code should probably be robust enough to accept both.
Anyone opened a PR yet? If the maintainers are willing to import json it shouldn't be too hard. Something like this.

import json


try:
    parsed_paths = json.loads(excluded_paths)
    if isinstance(parsed_paths, list):
        excluded_paths_list = parsed_paths
    else:
        excluded_paths_list = [str(parsed_paths)]
except Exception:
    excluded_paths_list = [excluded_paths]