You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/app-service-authentication-how-to.md
+53-5Lines changed: 53 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,14 +4,14 @@ description: Shows how to customize authentication and authorization in App Serv
4
4
services: app-service
5
5
documentationcenter: ''
6
6
author: cephalin
7
-
manager: cfowler
7
+
manager: gwallace
8
8
editor: ''
9
9
10
10
ms.service: app-service
11
11
ms.workload: mobile
12
12
ms.tgt_pltfrm: na
13
13
ms.topic: article
14
-
ms.date: 11/08/2018
14
+
ms.date: 09/02/2019
15
15
ms.author: cephalin
16
16
ms.custom: seodec18
17
17
---
@@ -126,7 +126,7 @@ When using fully qualified URLs, the URL must be either hosted in the same domai
126
126
GET /.auth/logout?post_logout_redirect_uri=https%3A%2F%2Fmyexternalurl.com
127
127
```
128
128
129
-
You must run the following command in the [Azure Cloud Shell](../cloud-shell/quickstart.md):
129
+
Run the following command in the [Azure Cloud Shell](../cloud-shell/quickstart.md):
130
130
131
131
```azurecli-interactive
132
132
az webapp auth update --name <app_name> --resource-group <group_name> --allowed-external-redirect-urls "https://myexternalurl.com"
@@ -193,7 +193,7 @@ When your provider's access token (not the [session token](#extend-session-token
193
193
194
194
Once your provider is configured, you can [find the refresh token and the expiration time for the access token](#retrieve-tokens-in-app-code) in the token store.
195
195
196
-
To refresh your access token at anytime, just call `/.auth/refresh` in any language. The following snippet uses jQuery to refresh your access tokens from a JavaScript client.
196
+
To refresh your access token at any time, just call `/.auth/refresh` in any language. The following snippet uses jQuery to refresh your access tokens from a JavaScript client.
Both Microsoft Account and Azure Active Directory lets you sign in from multiple domains. For example, Microsoft Account allows _outlook.com_, _live.com_, and _hotmail.com_ accounts. Azure Active Directory allows any number of custom domains for the sign-in accounts. This behavior may be undesirable for an internal app, which you don't want anyone with an _outlook.com_ account to access. To limit the domain name of the sign-in accounts, follow these steps.
229
+
Both Microsoft Account and Azure Active Directory lets you sign in from multiple domains. For example, Microsoft Account allows _outlook.com_, _live.com_, and _hotmail.com_ accounts. Azure AD allows any number of custom domains for the sign-in accounts. However, you may want to accelerate your users straight to your own branded Azure AD sign-in page (such as `contoso.com`). To suggest the domain name of the sign-in accounts, follow these steps.
This setting appends the `domain_hint` query string parameter to the login redirect URL.
240
+
241
+
> [!IMPORTANT]
242
+
> It's possible for the client to remove the `domain_hint` parameter after receiving the redirect URL, and then login with a different domain. So while this function is convenient, it's not a security feature.
243
+
>
244
+
245
+
## Authorize or deny users
246
+
247
+
While App Service takes care of the simplest authorization case (i.e. reject unauthenticated requests), your app may require more fine-grained authorization behavior, such as limiting access to only a specific group of users. In certain cases, you need to write custom application code to allow or deny access to the signed-in user. In other cases, App Service or your identity provider may be able to help without requiring code changes.
For any Windows app, you can define authorization behavior of the IIS web server, by editing the *Web.config* file. Linux apps don't use IIS and can't be configured through *Web.config*.
256
+
257
+
1. Navigate to `https://<app-name>.scm.azurewebsites.net/DebugConsole`
258
+
259
+
1. In the browser explorer of your App Service files, navigate to *site/wwwroot*. If a *Web.config* doesn't exist, create it by selecting **+** > **New File**.
260
+
261
+
1. Select the pencil for *Web.config* to edit it. Add the following configuration code and click **Save**. If *Web.config* already exists, just add the `<authorization>` element with everything in it. Add the accounts you want to allow in the `<allow>` element.
The identity provider may provide certain turn-key authorization. For example:
278
+
279
+
- For [Azure App Service](configure-authentication-provider-aad.md), you can [manage enterprise-level access](../active-directory/manage-apps/what-is-access-management.md) directly in Azure AD. For instructions, see [How to remove a user's access to an application](../active-directory/manage-apps/methods-for-removing-user-access.md).
280
+
- For [Google](configure-authentication-provider-google.md), Google API projects that belong to an [organization](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations) can be configured to allow access only to users in your organization (see [Google's **Setting up OAuth 2.0** support page](https://support.google.com/cloud/answer/6158849?hl=en)).
281
+
282
+
### Application level
283
+
284
+
If either of the other levels don't provide the authorization you need, or if your platform or identity provider isn't supported, you must write custom code to authorize users based on the [user claims](#access-user-claims).
0 commit comments