Document Details
Configure Authentication Customize Sign In Out
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
missing_linux_example
⚠️
windows_tools
Summary:
The documentation page demonstrates a Windows bias in the 'Server level (Windows apps only)' section, where only Windows/IIS (web.config) authorization is described, with no equivalent Linux example or mention of how to achieve similar functionality on Linux-based App Service plans. The use of Kudu and web.config is specific to Windows, and Linux alternatives are not discussed. Additionally, the section order presents the Windows-specific method before more general or cross-platform approaches.
Recommendations:
- Add a section describing how to implement server-level authorization for Linux-based App Service apps, such as using .htaccess for Apache, nginx configuration, or middleware in common Linux web frameworks.
- Explicitly state the lack of server-level authorization support on Linux and suggest application-level or identity provider-level alternatives.
- Reorder the authorization section to present cross-platform or provider-level solutions before platform-specific (Windows) solutions.
- Where platform-specific tools (like Kudu or web.config) are mentioned, provide Linux equivalents or clear guidance for Linux users.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-09-15 00:00 | #112 | completed | ❌ Biased |
| 2025-08-15 00:01 | #81 | in_progress | ❌ Biased |
| 2025-07-13 21:37 | #48 | completed | ❌ Biased |
| 2025-07-13 21:25 | #47 | cancelled | ✅ Clean |
| 2025-07-13 20:48 | #44 | cancelled | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
5. Select **Put**.
This setting appends the `domain_hint` query string parameter to the sign-in redirect URL.
> [!IMPORTANT]
> It's possible for the client to remove the `domain_hint` parameter after receiving the redirect URL, and then sign in with a different domain. So although this function is convenient, it's not a security feature.
## Authorize or deny users
App Service takes care of the simplest authorization case, for example, reject unauthenticated requests. Your app might require more fine-grained authorization behavior, such as limiting access to only a specific group of users.
You might need to write custom application code to allow or deny access to the signed-in user. In some cases, App Service or your identity provider might be able to help without requiring code changes.
### Server level (Windows apps only)
For any Windows app, you can define authorization behavior of the IIS web server by editing the `web.config` file. Linux apps don't use IIS and can't be configured through `web.config`.
1. To go to the Kudu debug console for your app, select **Development Tools** > **Advanced Tools** and select **Go**. Then select **Debug console**.
You can also open this page with this URL: `https://<app-name>-<random-hash>.scm.<region>.azurewebsites.net/DebugConsole`. To get the random hash and region values, in your app **Overview**, copy **Default domain**.
1. In the browser explorer of your App Service files, go to `site/wwwroot`. If `web.config` doesn't exist, create it by selecting **+** > **New File**.
1. Select the pencil for `web.config` to edit the file. Add the following configuration code, and then select **Save**. If `web.config` already exists, just add the `<authorization>` element with everything in it. In the `<allow>` element, add the accounts that you want to allow.