Add authentication to your Azure App Service or Function app using Microsoft Entra External ID

Azure App Service and Function app offers built-in authentication and authorization features, allowing you to sign in users by writing minimal or no code in your web app, RESTful API, or mobile back end. It’s built directly into the platform and doesn’t require any particular language, library, security expertise, or even any code to use.

The built-in authentication feature for App Service and Function app can save you time and effort by providing out-of-the-box authentication with federated identity providers, allowing you to focus on the rest of your application.

This built-in authentication includes:

• Easy activation and configuration via the Azure portal and app settings.
• No need for SDKs, specific languages, or changes to your application code.
• Support for multiple identity providers:

• Microsoft
• GitHub
• Facebook
• Google
• Sign in with Apple
• X
• Any OpenID Connect provider

When the authentication/authorization module is enabled, every incoming HTTP request is processed through it before reaching your app code. For more details, see Authentication and Authorization in Azure App Service.

Figure 1: Diagram showing the path of incoming HTTP reqeusts

This blog shows you how to configure authentication for Azure App Service and Azure Functions so that your app signs in external users with the Microsoft identity platform (Microsoft Entra External ID)  as the authentication provider.

How to enable External ID on your Azure App Service or Function app

Prerequisites

• An external tenant on Microsoft Entra Admin Center.
• If you don’t have one, create an external tenant with an Azure subscription.
• Ensure you have the Application Administrator role and External ID User Flow Administrator role on Microsoft Entra.
• A Contributor role on Azure to create Function apps.
• Have an existing Function app or Azure App Service.
• If you don’t have one, follow this guide to create your first function app or this training to host a web application with Azure App Service.

1. Choose a tenant for your applications and its users

Now that you have your Function app or Azure App Service, let’s set up sign in for your users. Since we want our app to be available to consumers and business customers, we first need to register the app in an external tenant.

1. Sign in to the Azure portal and navigate to your function app or Azure App Service.
2. On your app's left menu, under Settings, select Authentication, and then select Add identity provider.
3. In the Add an identity provider page, select Microsoft as the Identity provider to sign in Microsoft and Microsoft Entra identities.
4. For Tenant type, select External configuration for consumers and business customers (external users).

2. Choose the app registration

The Authentication feature can automatically create an app registration for you or you can use a registration that you or a directory admin created separately.

1. To create a new app registration, select the Create new app registration option. Select an existing tenant to use from the drop-down, or select Create new to create a new external tenant.

2. The second option is to use an existing app registration where we select Provide the details of an existing app registration then provide application (client) ID, Client secret and Issuer URL which you can find under App Registration> All applications > Select your app.

The following situations are the most common cases to use an existing app registration:

• • Your account doesn't have permissions to create app registrations in your Microsoft Entra tenant.
  • You want to use an app registration from a different Microsoft Entra tenant than the one your app is in.
  • The option to create a new registration isn't available for government clouds.

3. Configure external authentication

Follow these steps to set up sign-in and customize branding.

1. Select Configure to configure external authentication for the new tenant.
2. The browser opens Configure external authentication.
3. Select a user flow from the drop-down or select Create new. The user flow defines the sign-in methods your external users can use. Each app can only have one user flow, but you can reuse the same user flow for multiple apps then click Next.
4. On the Customize Branding tab, add your logo and background color, and Center-align or Right-align your sign-in page and click Next.
5. Review your configurations and click Configure.

4. Configure additional checks

Configure Additional checks, which determine which requests are allowed to access your application. You can customize this behavior now or adjust these settings later from the main Authentication screen by choosing Edit next to Authentication settings.

For Client application requirement, choose whether to:

• • Allow requests only from this application itself
  • Allow requests from specific client applications
  • Allow requests from any application (Not recommended)

For Identity requirement, choose whether to:

• • Allow requests from any identity
  • Allow requests from specific identities

For Tenant requirement, choose whether to:

• • Allow requests only from the issuer tenant
  • Allow requests from specific tenants
  • Use default restrictions based on issuer

5. Configure authentication settings

These options determine how your application responds to unauthenticated requests, and the default selections will redirect all requests to sign in with this new provider. You can change customize this behavior now or adjust these settings later from the main Authentication screen by choosing Edit next to Authentication settings. To learn more about these options, see Authentication flow.

For Restrict access, decide whether to:

• • Require authentication.
  • Allow unauthenticated access

For Unauthenticated requests

• • HTTP 302 Found redirect: recommended for websites
  • HTTP 401 Unauthorized: recommended for APIs
  • HTTP 403 Forbidden
  • HTTP 404 Not found

Select Token store (recommended). The token store collects, stores, and refreshes tokens for your application. You can disable this later if your app doesn't need tokens or you need to optimize performance.

6. Test your app

After following the above steps, External ID should now be added as an identity provider for your app. To verify that this is now working, navigate to your Function App or Azure App Service. Click Overview > Browse. This will take you straight to the sign-in page. Follow the sign-up process for a new user.

On successful sign-up, this should take you to your app as shown below.

Figure 2: Succesful sign-up screen

Next steps

Continue exploring Microsoft Entra External ID on Azure App Service by checking out the documentation. We have a YouTube playlist on ‘Identity for developers’ that shows you other developer tools integrating External ID.

You can also explore other features in the Microsoft Entra portfolio by visiting our:

• Developer center
• Identity blog 
• YouTube for tutorials, deep dives, and the latest news.