Deploying Web Apps with Azure App Services: A Complete Beginner's Guide

📘 Chapter 4: Security, Authentication, and Access Control

🔍 Overview

When hosting web applications in the cloud, security must be a top priority. Microsoft Azure App Services provides powerful built-in features to help secure your apps, control access, and protect sensitive information—all without needing to reinvent the wheel.

This chapter explores key areas of Azure App Service security, including HTTPS enforcement, authentication providers, custom authorization, securing app settings, and integrating Azure Active Directory (AAD). You'll also learn how to protect access using Role-Based Access Control (RBAC), configure identity providers, and set network restrictions.

🔐 1. Enabling HTTPS and SSL for Secure Traffic

✅ Why HTTPS Matters

• Encrypts traffic between users and your app
• Protects against man-in-the-middle (MITM) attacks
• Required for most modern browser features and SEO benefits

🔧 How to Enforce HTTPS

bash

az webapp update \

  --name mywebapp \

  --resource-group MyResourceGroup \

  --set httpsOnly=true

You can also configure this in the Azure Portal → App Settings → TLS/SSL Settings.

🧾 SSL Certificates in Azure App Services

Custom domains require binding the domain to an SSL cert via TLS/SSL → Bindings.

👥 2. Built-in Authentication and Authorization (EasyAuth)

Azure App Services provides EasyAuth, a no-code authentication layer.

✅ Supported Identity Providers

🔧 Enable EasyAuth via Azure CLI

bash

az webapp auth update \

  --name mywebapp \

  --resource-group MyResourceGroup \

  --enabled true \

  --action LoginWithAzureActiveDirectory

📄 Example Policy: Require Login for All Routes

json

{

  "unauthenticatedClientAction": "RedirectToLoginPage",

  "defaultProvider": "AzureActiveDirectory"

}

🔑 Add Azure AD App Registration

1. Go to Azure Portal → Azure AD → App Registrations
2. Register new app, enable redirect URI
3. Copy Client ID, Tenant ID, and Secret

🧠 3. Role-Based Access Control (RBAC)

RBAC controls who can manage resources within Azure.

✅ Example: Assign Reader Role to a User

bash

az role assignment create \

  --assignee user@example.com \

  --role Reader \

  --scope /subscriptions/{id}/resourceGroups/MyResourceGroup

🔐 Combine with Azure AD for advanced access scenarios.

🛡️ 4. Application-Level Authorization

Beyond authenticating users, you may want fine-grained access control in your app code.

✅ JWT Token Claims

After login, users receive a JWT token. You can extract claims like email, role, or tenant.

javascript

// Node.js Example

const jwt = require('jsonwebtoken');

const token = req.headers['x-ms-token-aad-id-token'];

const decoded = jwt.decode(token);

console.log(decoded.email);

📘 Use libraries like jsonwebtoken, MSAL, or Microsoft.Identity.Web.

🗝️ 5. Securing Secrets and Environment Variables

✅ Avoid Hardcoding Secrets

Never store secrets like API keys, connection strings, or access tokens in code.

🔐 Use Azure Key Vault Integration

1. Create a Key Vault
2. Add secret (DB_PASSWORD)
3. Reference it in App Settings:

bash

az webapp config appsettings set \

  --name mywebapp \

  --resource-group MyResourceGroup \

  --settings DB_PASSWORD="@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/DB_PASSWORD/)"

🌐 6. IP Restrictions and Network Access Control

✅ Restrict IP Ranges

You can restrict access to your app to certain IPs (e.g., company firewall).

bash

az webapp config access-restriction add \

  --resource-group MyResourceGroup \

  --name mywebapp \

  --rule-name AllowCorporateOffice \

  --priority 100 \

  --action Allow \

  --ip-address 203.0.113.0/24

📦 Use Azure Front Door or App Gateway

• Terminate SSL
• Add WAF (Web Application Firewall)
• Perform global load balancing

📋 Summary Table – App Service Security Features