Web Apps - Get Auth Settings V2 Without Secrets

Description for Gets site's Authentication / Authorization settings for apps via the V2 format

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/authsettingsV2?api-version=2024-04-01

URI Parameters

Name In Required Type Description
name
path True

string

Name of the app.

resourceGroupName
path True

string

Name of the resource group to which the resource belongs.

Regex pattern: ^[-\w\._\(\)]+[^\.]$

subscriptionId
path True

string

Your Azure subscription ID. This is a GUID-formatted string (e.g. 00000000-0000-0000-0000-000000000000).

api-version
query True

string

API Version

Responses

Name Type Description
200 OK

SiteAuthSettingsV2

OK

Other Status Codes

DefaultErrorResponse

App Service error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

List Auth Settings without Secrets

Sample request

GET https://management.azure.com/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab345/resourceGroups/testrg123/providers/Microsoft.Web/sites/sitef6141/config/authsettingsV2?api-version=2024-04-01

Sample response

{
  "id": "/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab345/resourceGroups/testrg123/providers/Microsoft.Web/sites/sitef6141/config/authsettingsv2",
  "name": "authsettingsv2",
  "type": "Microsoft.Web/sites/authsettingsv2",
  "kind": "app",
  "properties": {
    "platform": {
      "enabled": true,
      "runtimeVersion": "~1",
      "configFilePath": "/auth/config.json"
    },
    "globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "Return403",
      "excludedPaths": [
        "/nosecrets/Path"
      ]
    },
    "identityProviders": {
      "google": {
        "enabled": true,
        "registration": {
          "clientId": "42d795a9-8abb-4d06-8534-39528af40f8e.apps.googleusercontent.com",
          "clientSecretSettingName": "ClientSecret"
        },
        "login": {
          "scopes": [
            "admin"
          ]
        },
        "validation": {
          "allowedAudiences": [
            "https://example.com"
          ]
        }
      }
    },
    "login": {
      "routes": {
        "logoutEndpoint": "https://app.com/logout"
      },
      "tokenStore": {
        "enabled": true,
        "tokenRefreshExtensionHours": 96,
        "fileSystem": {
          "directory": "/wwwroot/sites/example"
        }
      },
      "preserveUrlFragmentsForLogins": true,
      "allowedExternalRedirectUrls": [
        "https://someurl.com"
      ],
      "cookieExpiration": {
        "convention": "IdentityProviderDerived",
        "timeToExpiration": "2022:09-01T00:00Z"
      },
      "nonce": {
        "validateNonce": true
      }
    },
    "httpSettings": {
      "requireHttps": true,
      "routes": {
        "apiPrefix": "/authv2/"
      },
      "forwardProxy": {
        "convention": "Standard",
        "customHostHeaderName": "authHeader",
        "customProtoHeaderName": "customProtoHeader"
      }
    }
  }
}

Definitions

Name Description
AllowedAudiencesValidation

The configuration settings of the Allowed Audiences validation flow.

AllowedPrincipals

The configuration settings of the Azure Active Directory allowed principals.

Apple

The configuration settings of the Apple provider.

AppleRegistration

The configuration settings of the registration for the Apple provider

AppRegistration

The configuration settings of the app registration for providers that have app ids and app secrets

AuthPlatform

The configuration settings of the platform of App Service Authentication/Authorization.

AzureActiveDirectory

The configuration settings of the Azure Active directory provider.

AzureActiveDirectoryLogin

The configuration settings of the Azure Active Directory login flow.

AzureActiveDirectoryRegistration

The configuration settings of the Azure Active Directory app registration.

AzureActiveDirectoryValidation

The configuration settings of the Azure Active Directory token validation flow.

AzureStaticWebApps

The configuration settings of the Azure Static Web Apps provider.

AzureStaticWebAppsRegistration

The configuration settings of the registration for the Azure Static Web Apps provider

BlobStorageTokenStore

The configuration settings of the storage of the tokens if blob storage is used.

ClientCredentialMethod

The method that should be used to authenticate the user.

ClientRegistration

The configuration settings of the app registration for providers that have client ids and client secrets

CookieExpiration

The configuration settings of the session cookie's expiration.

CookieExpirationConvention

The convention used when determining the session cookie's expiration.

CustomOpenIdConnectProvider

The configuration settings of the custom Open ID Connect provider.

DefaultAuthorizationPolicy

The configuration settings of the Azure Active Directory default authorization policy.

DefaultErrorResponse

App Service error response.

Details
Error

Error model.

Facebook

The configuration settings of the Facebook provider.

FileSystemTokenStore

The configuration settings of the storage of the tokens if a file system is used.

ForwardProxy

The configuration settings of a forward proxy used to make the requests.

ForwardProxyConvention

The convention used to determine the url of the request made.

GitHub

The configuration settings of the GitHub provider.

GlobalValidation

The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.

Google

The configuration settings of the Google provider.

HttpSettings

The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.

HttpSettingsRoutes

The configuration settings of the paths HTTP requests.

IdentityProviders

The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.

JwtClaimChecks

The configuration settings of the checks that should be made while validating the JWT Claims.

LegacyMicrosoftAccount

The configuration settings of the legacy Microsoft Account provider.

Login

The configuration settings of the login flow of users using App Service Authentication/Authorization.

LoginRoutes

The routes that specify the endpoints used for login and logout requests.

LoginScopes

The configuration settings of the login flow, including the scopes that should be requested.

Nonce

The configuration settings of the nonce used in the login flow.

OpenIdConnectClientCredential

The authentication client credentials of the custom Open ID Connect provider.

OpenIdConnectConfig

The configuration settings of the endpoints used for the custom Open ID Connect provider.

OpenIdConnectLogin

The configuration settings of the login flow of the custom Open ID Connect provider.

OpenIdConnectRegistration

The configuration settings of the app registration for the custom Open ID Connect provider.

SiteAuthSettingsV2

Configuration settings for the Azure App Service Authentication / Authorization V2 feature.

TokenStore

The configuration settings of the token store.

Twitter

The configuration settings of the Twitter provider.

TwitterRegistration

The configuration settings of the app registration for the Twitter provider.

UnauthenticatedClientActionV2

The action to take when an unauthenticated client attempts to access the app.

AllowedAudiencesValidation

The configuration settings of the Allowed Audiences validation flow.

Name Type Description
allowedAudiences

string[]

The configuration settings of the allowed list of audiences from which to validate the JWT token.

AllowedPrincipals

The configuration settings of the Azure Active Directory allowed principals.

Name Type Description
groups

string[]

The list of the allowed groups.

identities

string[]

The list of the allowed identities.

Apple

The configuration settings of the Apple provider.

Name Type Description
enabled

boolean

false if the Apple provider should not be enabled despite the set registration; otherwise, true.

login

LoginScopes

The configuration settings of the login flow.

registration

AppleRegistration

The configuration settings of the Apple registration.

AppleRegistration

The configuration settings of the registration for the Apple provider

Name Type Description
clientId

string

The Client ID of the app used for login.

clientSecretSettingName

string

The app setting name that contains the client secret.

AppRegistration

The configuration settings of the app registration for providers that have app ids and app secrets

Name Type Description
appId

string

The App ID of the app used for login.

appSecretSettingName

string

The app setting name that contains the app secret.

AuthPlatform

The configuration settings of the platform of App Service Authentication/Authorization.

Name Type Description
configFilePath

string

The path of the config file containing auth settings if they come from a file. If the path is relative, base will the site's root directory.

enabled

boolean

true if the Authentication / Authorization feature is enabled for the current app; otherwise, false.

runtimeVersion

string

The RuntimeVersion of the Authentication / Authorization feature in use for the current app. The setting in this value can control the behavior of certain features in the Authentication / Authorization module.

AzureActiveDirectory

The configuration settings of the Azure Active directory provider.

Name Type Description
enabled

boolean

false if the Azure Active Directory provider should not be enabled despite the set registration; otherwise, true.

isAutoProvisioned

boolean

Gets a value indicating whether the Azure AD configuration was auto-provisioned using 1st party tooling. This is an internal flag primarily intended to support the Azure Management Portal. Users should not read or write to this property.

login

AzureActiveDirectoryLogin

The configuration settings of the Azure Active Directory login flow.

registration

AzureActiveDirectoryRegistration

The configuration settings of the Azure Active Directory app registration.

validation

AzureActiveDirectoryValidation

The configuration settings of the Azure Active Directory token validation flow.

AzureActiveDirectoryLogin

The configuration settings of the Azure Active Directory login flow.

Name Type Description
disableWWWAuthenticate

boolean

true if the www-authenticate provider should be omitted from the request; otherwise, false.

loginParameters

string[]

Login parameters to send to the OpenID Connect authorization endpoint when a user logs in. Each parameter must be in the form "key=value".

AzureActiveDirectoryRegistration

The configuration settings of the Azure Active Directory app registration.

Name Type Description
clientId

string

The Client ID of this relying party application, known as the client_id. This setting is required for enabling OpenID Connection authentication with Azure Active Directory or other 3rd party OpenID Connect providers. More information on OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html

clientSecretCertificateIssuer

string

An alternative to the client secret thumbprint, that is the issuer of a certificate used for signing purposes. This property acts as a replacement for the Client Secret Certificate Thumbprint. It is also optional.

clientSecretCertificateSubjectAlternativeName

string

An alternative to the client secret thumbprint, that is the subject alternative name of a certificate used for signing purposes. This property acts as a replacement for the Client Secret Certificate Thumbprint. It is also optional.

clientSecretCertificateThumbprint

string

An alternative to the client secret, that is the thumbprint of a certificate used for signing purposes. This property acts as a replacement for the Client Secret. It is also optional.

clientSecretSettingName

string

The app setting name that contains the client secret of the relying party application.

openIdIssuer

string

The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application. When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://login.microsoftonline.com/v2.0/{tenant-guid}/. This URI is a case-sensitive identifier for the token issuer. More information on OpenID Connect Discovery: http://openid.net/specs/openid-connect-discovery-1_0.html

AzureActiveDirectoryValidation

The configuration settings of the Azure Active Directory token validation flow.

Name Type Description
allowedAudiences

string[]

The list of audiences that can make successful authentication/authorization requests.

defaultAuthorizationPolicy

DefaultAuthorizationPolicy

The configuration settings of the default authorization policy.

jwtClaimChecks

JwtClaimChecks

The configuration settings of the checks that should be made while validating the JWT Claims.

AzureStaticWebApps

The configuration settings of the Azure Static Web Apps provider.

Name Type Description
enabled

boolean

false if the Azure Static Web Apps provider should not be enabled despite the set registration; otherwise, true.

registration

AzureStaticWebAppsRegistration

The configuration settings of the Azure Static Web Apps registration.

AzureStaticWebAppsRegistration

The configuration settings of the registration for the Azure Static Web Apps provider

Name Type Description
clientId

string

The Client ID of the app used for login.

BlobStorageTokenStore

The configuration settings of the storage of the tokens if blob storage is used.

Name Type Description
sasUrlSettingName

string

The name of the app setting containing the SAS URL of the blob storage containing the tokens.

ClientCredentialMethod

The method that should be used to authenticate the user.

Name Type Description
ClientSecretPost

string

ClientRegistration

The configuration settings of the app registration for providers that have client ids and client secrets

Name Type Description
clientId

string

The Client ID of the app used for login.

clientSecretSettingName

string

The app setting name that contains the client secret.

CookieExpiration

The configuration settings of the session cookie's expiration.

Name Type Description
convention

CookieExpirationConvention

The convention used when determining the session cookie's expiration.

timeToExpiration

string

The time after the request is made when the session cookie should expire.

CookieExpirationConvention

The convention used when determining the session cookie's expiration.

Name Type Description
FixedTime

string

IdentityProviderDerived

string

CustomOpenIdConnectProvider

The configuration settings of the custom Open ID Connect provider.

Name Type Description
enabled

boolean

false if the custom Open ID provider provider should not be enabled; otherwise, true.

login

OpenIdConnectLogin

The configuration settings of the login flow of the custom Open ID Connect provider.

registration

OpenIdConnectRegistration

The configuration settings of the app registration for the custom Open ID Connect provider.

DefaultAuthorizationPolicy

The configuration settings of the Azure Active Directory default authorization policy.

Name Type Description
allowedApplications

string[]

The configuration settings of the Azure Active Directory allowed applications.

allowedPrincipals

AllowedPrincipals

The configuration settings of the Azure Active Directory allowed principals.

DefaultErrorResponse

App Service error response.

Name Type Description
error

Error

Error model.

Details

Name Type Description
code

string

Standardized string to programmatically identify the error.

message

string

Detailed error description and debugging information.

target

string

Detailed error description and debugging information.

Error

Error model.

Name Type Description
code

string

Standardized string to programmatically identify the error.

details

Details[]

Detailed errors.

innererror

string

More information to debug error.

message

string

Detailed error description and debugging information.

target

string

Detailed error description and debugging information.

Facebook

The configuration settings of the Facebook provider.

Name Type Description
enabled

boolean

false if the Facebook provider should not be enabled despite the set registration; otherwise, true.

graphApiVersion

string

The version of the Facebook api to be used while logging in.

login

LoginScopes

The configuration settings of the login flow.

registration

AppRegistration

The configuration settings of the app registration for the Facebook provider.

FileSystemTokenStore

The configuration settings of the storage of the tokens if a file system is used.

Name Type Description
directory

string

The directory in which the tokens will be stored.

ForwardProxy

The configuration settings of a forward proxy used to make the requests.

Name Type Description
convention

ForwardProxyConvention

The convention used to determine the url of the request made.

customHostHeaderName

string

The name of the header containing the host of the request.

customProtoHeaderName

string

The name of the header containing the scheme of the request.

ForwardProxyConvention

The convention used to determine the url of the request made.

Name Type Description
Custom

string

NoProxy

string

Standard

string

GitHub

The configuration settings of the GitHub provider.

Name Type Description
enabled

boolean

false if the GitHub provider should not be enabled despite the set registration; otherwise, true.

login

LoginScopes

The configuration settings of the login flow.

registration

ClientRegistration

The configuration settings of the app registration for the GitHub provider.

GlobalValidation

The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.

Name Type Description
excludedPaths

string[]

The paths for which unauthenticated flow would not be redirected to the login page.

redirectToProvider

string

The default authentication provider to use when multiple providers are configured. This setting is only needed if multiple providers are configured and the unauthenticated client action is set to "RedirectToLoginPage".

requireAuthentication

boolean

true if the authentication flow is required any request is made; otherwise, false.

unauthenticatedClientAction

UnauthenticatedClientActionV2

The action to take when an unauthenticated client attempts to access the app.

Google

The configuration settings of the Google provider.

Name Type Description
enabled

boolean

false if the Google provider should not be enabled despite the set registration; otherwise, true.

login

LoginScopes

The configuration settings of the login flow.

registration

ClientRegistration

The configuration settings of the app registration for the Google provider.

validation

AllowedAudiencesValidation

The configuration settings of the Azure Active Directory token validation flow.

HttpSettings

The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.

Name Type Description
forwardProxy

ForwardProxy

The configuration settings of a forward proxy used to make the requests.

requireHttps

boolean

false if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.

routes

HttpSettingsRoutes

The configuration settings of the paths HTTP requests.

HttpSettingsRoutes

The configuration settings of the paths HTTP requests.

Name Type Description
apiPrefix

string

The prefix that should precede all the authentication/authorization paths.

IdentityProviders

The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.

Name Type Description
apple

Apple

The configuration settings of the Apple provider.

azureActiveDirectory

AzureActiveDirectory

The configuration settings of the Azure Active directory provider.

azureStaticWebApps

AzureStaticWebApps

The configuration settings of the Azure Static Web Apps provider.

customOpenIdConnectProviders

<string,  CustomOpenIdConnectProvider>

The map of the name of the alias of each custom Open ID Connect provider to the configuration settings of the custom Open ID Connect provider.

facebook

Facebook

The configuration settings of the Facebook provider.

gitHub

GitHub

The configuration settings of the GitHub provider.

google

Google

The configuration settings of the Google provider.

legacyMicrosoftAccount

LegacyMicrosoftAccount

The configuration settings of the legacy Microsoft Account provider.

twitter

Twitter

The configuration settings of the Twitter provider.

JwtClaimChecks

The configuration settings of the checks that should be made while validating the JWT Claims.

Name Type Description
allowedClientApplications

string[]

The list of the allowed client applications.

allowedGroups

string[]

The list of the allowed groups.

LegacyMicrosoftAccount

The configuration settings of the legacy Microsoft Account provider.

Name Type Description
enabled

boolean

false if the legacy Microsoft Account provider should not be enabled despite the set registration; otherwise, true.

login

LoginScopes

The configuration settings of the login flow.

registration

ClientRegistration

The configuration settings of the app registration for the legacy Microsoft Account provider.

validation

AllowedAudiencesValidation

The configuration settings of the legacy Microsoft Account provider token validation flow.

Login

The configuration settings of the login flow of users using App Service Authentication/Authorization.

Name Type Description
allowedExternalRedirectUrls

string[]

External URLs that can be redirected to as part of logging in or logging out of the app. Note that the query string part of the URL is ignored. This is an advanced setting typically only needed by Windows Store application backends. Note that URLs within the current domain are always implicitly allowed.

cookieExpiration

CookieExpiration

The configuration settings of the session cookie's expiration.

nonce

Nonce

The configuration settings of the nonce used in the login flow.

preserveUrlFragmentsForLogins

boolean

true if the fragments from the request are preserved after the login request is made; otherwise, false.

routes

LoginRoutes

The routes that specify the endpoints used for login and logout requests.

tokenStore

TokenStore

The configuration settings of the token store.

LoginRoutes

The routes that specify the endpoints used for login and logout requests.

Name Type Description
logoutEndpoint

string

The endpoint at which a logout request should be made.

LoginScopes

The configuration settings of the login flow, including the scopes that should be requested.

Name Type Description
scopes

string[]

A list of the scopes that should be requested while authenticating.

Nonce

The configuration settings of the nonce used in the login flow.

Name Type Description
nonceExpirationInterval

string

The time after the request is made when the nonce should expire.

validateNonce

boolean

false if the nonce should not be validated while completing the login flow; otherwise, true.

OpenIdConnectClientCredential

The authentication client credentials of the custom Open ID Connect provider.

Name Type Description
clientSecretSettingName

string

The app setting that contains the client secret for the custom Open ID Connect provider.

method

ClientCredentialMethod

The method that should be used to authenticate the user.

OpenIdConnectConfig

The configuration settings of the endpoints used for the custom Open ID Connect provider.

Name Type Description
authorizationEndpoint

string

The endpoint to be used to make an authorization request.

certificationUri

string

The endpoint that provides the keys necessary to validate the token.

issuer

string

The endpoint that issues the token.

tokenEndpoint

string

The endpoint to be used to request a token.

wellKnownOpenIdConfiguration

string

The endpoint that contains all the configuration endpoints for the provider.

OpenIdConnectLogin

The configuration settings of the login flow of the custom Open ID Connect provider.

Name Type Description
nameClaimType

string

The name of the claim that contains the users name.

scopes

string[]

A list of the scopes that should be requested while authenticating.

OpenIdConnectRegistration

The configuration settings of the app registration for the custom Open ID Connect provider.

Name Type Description
clientCredential

OpenIdConnectClientCredential

The authentication credentials of the custom Open ID Connect provider.

clientId

string

The client id of the custom Open ID Connect provider.

openIdConnectConfiguration

OpenIdConnectConfig

The configuration settings of the endpoints used for the custom Open ID Connect provider.

SiteAuthSettingsV2

Configuration settings for the Azure App Service Authentication / Authorization V2 feature.

Name Type Description
id

string

Resource Id.

kind

string

Kind of resource.

name

string

Resource Name.

properties.globalValidation

GlobalValidation

The configuration settings that determines the validation flow of users using App Service Authentication/Authorization.

properties.httpSettings

HttpSettings

The configuration settings of the HTTP requests for authentication and authorization requests made against App Service Authentication/Authorization.

properties.identityProviders

IdentityProviders

The configuration settings of each of the identity providers used to configure App Service Authentication/Authorization.

properties.login

Login

The configuration settings of the login flow of users using App Service Authentication/Authorization.

properties.platform

AuthPlatform

The configuration settings of the platform of App Service Authentication/Authorization.

type

string

Resource type.

TokenStore

The configuration settings of the token store.

Name Type Description
azureBlobStorage

BlobStorageTokenStore

The configuration settings of the storage of the tokens if blob storage is used.

enabled

boolean

true to durably store platform-specific security tokens that are obtained during login flows; otherwise, false. The default is false.

fileSystem

FileSystemTokenStore

The configuration settings of the storage of the tokens if a file system is used.

tokenRefreshExtensionHours

number

The number of hours after session token expiration that a session token can be used to call the token refresh API. The default is 72 hours.

Twitter

The configuration settings of the Twitter provider.

Name Type Description
enabled

boolean

false if the Twitter provider should not be enabled despite the set registration; otherwise, true.

registration

TwitterRegistration

The configuration settings of the app registration for the Twitter provider.

TwitterRegistration

The configuration settings of the app registration for the Twitter provider.

Name Type Description
consumerKey

string

The OAuth 1.0a consumer key of the Twitter application used for sign-in. This setting is required for enabling Twitter Sign-In. Twitter Sign-In documentation: https://dev.twitter.com/web/sign-in

consumerSecretSettingName

string

The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.

UnauthenticatedClientActionV2

The action to take when an unauthenticated client attempts to access the app.

Name Type Description
AllowAnonymous

string

RedirectToLoginPage

string

Return401

string

Return403

string