diff --git a/README.md b/README.md
index 42e5626b..491cc564 100644
--- a/README.md
+++ b/README.md
@@ -136,4 +136,69 @@ export default {
 		})
 	}
 };
-```
\ No newline at end of file
+```
+
+### allowedRoles
+
+An array of strings containing the roles allowed to access the app. For e.g. if the app needs to be restrictied it's possible to use a [custom role](https://docs.microsoft.com/en-us/azure/static-web-apps/authentication-authorization). *Notice* this only supports securing the complete app. If specific routes should be secured it's best to implement custom authentication within the app itself.
+
+```js
+export default {
+	kit: {
+		...
+		adapter: azure({
+			allowedRoles: ['authenticated'],
+			customStaticWebAppConfig: {
+				routes: [
+					{
+						route: "/.auth/login/facebook",
+						statusCode: 404
+					},
+					{
+						route: "/.auth/login/github",
+						statusCode: 404
+					},
+					{
+						route: "/.auth/login/google",
+						statusCode: 404
+					},
+					{
+						route: "/.auth/login/twitter",
+						statusCode: 404
+					},
+					{
+						route: "/.auth/*",
+						allowedRoles: [
+							"anonymous"
+						]
+					},
+					{
+						route: '/login',
+						allowedRoles: [
+							"anonymous"
+						],
+						rewrite: "/.auth/login/aad",
+					}
+				],
+				responseOverrides: {
+					'401': {
+						'redirect': '/login',
+						'statusCode': 302
+					}
+				},
+				auth: {
+					identityProviders: {
+						azureActiveDirectory: {
+							registration: {
+								openIdIssuer: "AAD_ISSUER",
+								clientIdSettingName: "AAD_CLIENT_ID",
+								clientSecretSettingName: "AAD_CLIENT_SECRET"
+							}
+						}
+					}
+				}
+			}
+		})
+	}
+}
+```
diff --git a/index.d.ts b/index.d.ts
index ab0bc77e..cafa9e6a 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -6,6 +6,7 @@ type Options = {
 	debug?: boolean;
 	customStaticWebAppConfig?: CustomStaticWebAppConfig;
 	esbuildOptions?: Pick<esbuild.BuildOptions, 'external'>;
+	allowedRoles?: string[];
 };
 
 export default function plugin(options?: Options): Adapter;
diff --git a/index.js b/index.js
index 9ed22392..93a1a620 100644
--- a/index.js
+++ b/index.js
@@ -28,7 +28,8 @@ function validateCustomConfig(config) {
 export default function ({
 	debug = false,
 	customStaticWebAppConfig = {},
-	esbuildOptions = {}
+	esbuildOptions = {},
+	allowedRoles = ['anonymous']
 } = {}) {
 	return {
 		name: 'adapter-azure-swa',
@@ -48,13 +49,15 @@ export default function ({
 					{
 						route: '*',
 						methods: ['POST', 'PUT', 'DELETE'],
-						rewrite: ssrFunctionRoute
+						rewrite: ssrFunctionRoute,
+						allowedRoles: allowedRoles
 					},
 					{
 						route: `/${builder.config.kit.appDir}/immutable/*`,
 						headers: {
 							'cache-control': 'public, immutable, max-age=31536000'
-						}
+						},
+						allowedRoles: allowedRoles
 					}
 				],
 				navigationFallback: {
@@ -130,15 +133,24 @@ export default function ({
 				swaConfig.routes.push(
 					{
 						route: '/index.html',
-						rewrite: ssrFunctionRoute
+						rewrite: ssrFunctionRoute,
+						allowedRoles: allowedRoles
 					},
 					{
 						route: '/',
-						rewrite: ssrFunctionRoute
+						rewrite: ssrFunctionRoute,
+						allowedRoles: allowedRoles
 					}
 				);
 			}
 
+			swaConfig.routes.push(
+				{
+					route: '*',
+					allowedRoles: allowedRoles
+				}
+			);
+
 			writeFileSync(`${publish}/staticwebapp.config.json`, JSON.stringify(swaConfig));
 		}
 	};