App Service Security Model: Auth, Identities, and Network Access
App Service provides several built-in security features that most web applications need: HTTPS enforcement, user authentication middleware, managed identity for accessing other Azure services, and network access restrictions. This page explains each layer and shows how they work together to secure an App Service application without writing infrastructure code.
HTTPS enforcement and TLS
Every App Service app gets a free TLS certificate on its *.azurewebsites.net domain automatically. HTTP traffic to that domain is allowed by default — but you should redirect it to HTTPS. Enable HTTPS-only in one CLI command:
az webapp update \
--resource-group my-rg \
--name my-web-app \
--https-only trueWith HTTPS-only enabled, any HTTP request returns a 301 redirect to the HTTPS version. No code changes needed — App Service handles the redirect at the network layer.
For custom domains, App Service integrates with App Service managed certificates (free, auto-renewed) or your own certificates stored in Key Vault:
# Create a free managed certificate for a custom domain
az webapp config ssl create \
--resource-group my-rg \
--name my-web-app \
--hostname www.yourdomain.com
# Bind the certificate to the hostname
az webapp config ssl bind \
--resource-group my-rg \
--name my-web-app \
--certificate-thumbprint <thumbprint-from-above> \
--ssl-type SNIManaged certificates auto-renew 30 days before expiry. You never need to handle certificate lifecycle for custom domains in App Service.
Managed identities: no credentials in your app
The most significant security improvement for most App Service apps is replacing stored credentials with a managed identity. Instead of your app storing a database password, a Key Vault secret, or an API key, the App Service has a managed identity that Azure uses to authenticate it automatically.
# Enable a system-assigned managed identity on the App Service
az webapp identity assign \
--resource-group my-rg \
--name my-web-app
# Get the principal ID (needed to assign roles)
PRINCIPAL_ID=$(az webapp identity show \
--resource-group my-rg \
--name my-web-app \
--query principalId \
--output tsv)
# Grant the identity read access to a Key Vault
VAULT_ID=$(az keyvault show --name my-vault --resource-group my-rg \
--query id --output tsv)
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "Key Vault Secrets User" \
--scope $VAULT_IDIn your application code, use DefaultAzureCredential (available in .NET, Python, Java, JavaScript SDKs). It automatically uses the managed identity when running on App Service:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
client = SecretClient(
vault_url="https://my-vault.vault.azure.net/",
credential=credential
)
secret = client.get_secret("db-password").valueNo connection string stored in app settings. No secret to rotate. The managed identity’s access is revoked by changing an RBAC role assignment, not by rotating credentials stored across multiple config files.
App Service Authentication (Easy Auth)
App Service Authentication is an authentication middleware that runs in front of your application code. When enabled, unauthenticated requests are redirected to a login flow before they ever reach your app. Authenticated users have their identity injected into request headers that your application can read.
Enable Entra ID authentication in the portal or CLI:
# Configure Easy Auth with Entra ID
az webapp auth update \
--resource-group my-rg \
--name my-web-app \
--enabled true \
--action LoginWithAzureActiveDirectory
# The app registration in Entra ID must be pre-created
# Azure CLI can create it automatically:
az webapp auth microsoft update \
--resource-group my-rg \
--name my-web-app \
--client-id <entra-app-client-id> \
--client-secret <entra-app-client-secret>Easy Auth is useful for internal tools and APIs where every user must be authenticated. For a public-facing website with some pages available anonymously, handling authentication in your application code gives you more control — Easy Auth is an all-or-nothing gate at the App Service level.
Your application can read the authenticated user’s identity from request headers injected by Easy Auth:
X-MS-CLIENT-PRINCIPAL-NAME— the user’s email or UPNX-MS-CLIENT-PRINCIPAL-ID— the user’s object ID in Entra IDX-MS-TOKEN-AAD-ACCESS-TOKEN— the user’s Entra ID access token (if you need to call downstream APIs on their behalf)
Network access restrictions
By default, App Service accepts inbound traffic from anywhere on the internet. Access restrictions let you lock down which IP addresses or VNet subnets can reach your app:
# Allow only traffic from a specific IP range
az webapp config access-restriction add \
--resource-group my-rg \
--name my-web-app \
--rule-name allow-office \
--action Allow \
--ip-address 203.0.113.0/24 \
--priority 100
# Deny all other traffic (App Service adds a deny-all rule automatically
# when you add an allow rule, but you can make it explicit)
az webapp config access-restriction add \
--resource-group my-rg \
--name my-web-app \
--rule-name deny-all \
--action Deny \
--ip-address Any \
--priority 2147483647For production APIs accessed only by other Azure services (not users), restrict access to the VNet subnets where your API Gateway or other services reside. This completely removes the App Service from public internet exposure.
Access restrictions also apply to the deployment endpoint (for pushing code). Use the —scm-site flag to add restrictions to the SCM (Kudu) endpoint separately from the main site. Leaving SCM open to the internet while restricting the main site is a security gap.
VNet integration for outbound access
VNet integration lets your App Service route outbound traffic through your Azure Virtual Network — giving your app access to private resources like databases, internal APIs, or other VNet-connected services, without exposing those resources to the internet.
# Integrate the App Service with a VNet subnet
az webapp vnet-integration add \
--resource-group my-rg \
--name my-web-app \
--vnet my-vnet \
--subnet app-service-subnetWith VNet integration, your App Service can reach a private Azure SQL Database or private Key Vault endpoint directly over the Microsoft network, even though the App Service itself may still receive inbound traffic from the internet. VNet integration is for outbound (egress) traffic only — it does not put your App Service into the VNet for inbound purposes. Use private endpoints for inbound private access.
Common App Service security mistakes
- Storing secrets as plain-text app settings. App settings appear in the portal and in deployment logs. Any person with Contributor access to the resource group can see them. Use Key Vault references for connection strings, API keys, and passwords — the app setting value is a pointer to Key Vault, not the secret itself.
- Not enforcing HTTPS-only. HTTP requests to your app will succeed by default until you set HTTPS-only. Users accessing the HTTP version transmit data unencrypted. Enable HTTPS-only from day one, not after launch.
- Leaving the SCM endpoint open to the internet. The Kudu/SCM endpoint (
your-app.scm.azurewebsites.net) provides access to deployment tools, log streaming, and debug consoles. If your main site is behind access restrictions but SCM is open, an attacker with deployment credentials can reach the SCM endpoint from anywhere. - Using connection string app settings instead of managed identities. A connection string to a database stored in app settings is one portal click away from being visible to any administrator. Switch to managed identity authentication for databases (Azure SQL supports it natively with Entra ID) and remove the stored credentials entirely.
Summary
- Enable HTTPS-only with one CLI command — it redirects all HTTP requests at the network layer without code changes.
- Assign a managed identity to your App Service and use it to authenticate to Key Vault, databases, and other Azure services. Eliminate stored credentials from app settings.
- Easy Auth adds authentication middleware in front of your app — useful for internal tools where all users must be Entra ID authenticated.
- Access restrictions control which IPs and VNet subnets can reach your app. For internal APIs, restrict to VNet subnets or private endpoints entirely.
- VNet integration routes your app’s outbound traffic through a VNet, enabling private access to databases and internal services.
Frequently asked questions
What is Easy Auth in App Service?
Easy Auth is App Service Authentication — a middleware layer that handles user authentication before requests reach your application code. It supports Entra ID, Google, Facebook, Apple, Twitter, and any OpenID Connect provider. When enabled, unauthenticated requests are redirected to a login flow automatically. Your app receives the user identity in request headers without implementing auth libraries itself.
Can my App Service access Azure resources like Key Vault without storing credentials?
Yes — this is the recommended approach. Enable a system-assigned managed identity on the App Service, then grant that identity the appropriate RBAC role on the target resource (for example, Key Vault Secrets User on a Key Vault). Your application authenticates using DefaultAzureCredential or equivalent, which automatically uses the managed identity when running on App Service.
What is a service endpoint versus a private endpoint for App Service?
A service endpoint restricts access to App Service from specific VNet subnets using the Microsoft backbone network. Traffic still traverses the Microsoft network but does not go over the public internet. A private endpoint puts the App Service into your VNet with a private IP address — fully private access without any internet exposure. Private endpoints are the stronger isolation choice for sensitive applications.