Document Details

Configure Authentication Customize Sign In Out
Home / Scan #41 / Configure Authentication Customize Sign In Out
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_first
windows_tools
missing_linux_example
Summary
The documentation page demonstrates a Windows bias in the 'Server level (Windows apps only)' section, where it provides detailed instructions for configuring authorization using IIS and web.config, which are exclusive to Windows. There is no equivalent example or guidance for Linux-based App Service apps, nor is there mention of how to achieve similar authorization controls on Linux. Additionally, the section is labeled 'Windows apps only', but Linux alternatives are not discussed, leaving a gap for Linux users.
Recommendations
  • Provide equivalent guidance for Linux-based App Service apps, such as using .htaccess for Apache, nginx configuration, or middleware-based authorization in popular frameworks (Node.js, Python, etc.).
  • Explicitly mention how Linux users can implement similar authorization controls, or link to relevant documentation.
  • Ensure that examples and instructions for command-line tools (such as Azure CLI) are presented in a cross-platform manner, and clarify that they work on both Windows and Linux.
  • Where a feature is Windows-only, offer a workaround or alternative for Linux users, or clearly state the limitation and suggest next steps.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2025-07-12 23:44 #41 cancelled Biased Biased
2025-07-12 00:58 #8 cancelled Clean Clean
2025-07-10 05:06 #7 processing Clean Clean
2025-07-09 23:22 #6 cancelled Clean Clean

Flagged Code Snippets

5. Select **Put**.

This setting appends the `domain_hint` query string parameter to the sign-in redirect URL.

> [!IMPORTANT]
> It's possible for the client to remove the `domain_hint` parameter after receiving the redirect URL, and then sign in with a different domain. So although this function is convenient, it's not a security feature.

## Authorize or deny users

App Service takes care of the simplest authorization case, for example, reject unauthenticated requests. Your app might require more fine-grained authorization behavior, such as limiting access to only a specific group of users.

You might need to write custom application code to allow or deny access to the signed-in user. In some cases, App Service or your identity provider might be able to help without requiring code changes.

### Server level (Windows apps only)

For any Windows app, you can define authorization behavior of the IIS web server by editing the `web.config` file. Linux apps don't use IIS and can't be configured through `web.config`.

1. To go to the Kudu debug console for your app, select **Development Tools** > **Advanced Tools** and select **Go**. Then select **Debug console**.

   You can also open this page with this URL: `https://<app-name>-<random-hash>.scm.<region>.azurewebsites.net/DebugConsole`. To get the random hash and region values, in your app **Overview**, copy **Default domain**.

1. In the browser explorer of your App Service files, go to `site/wwwroot`. If `web.config` doesn't exist, create it by selecting **+** > **New File**.

1. Select the pencil for `web.config` to edit the file. Add the following configuration code, and then select **Save**. If `web.config` already exists, just add the `<authorization>` element with everything in it. In the `<allow>` element, add the accounts that you want to allow.