Document Details
Configure Authentication Customize Sign In Out
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
windows_tools
⚠️
missing_linux_example
Summary:
The documentation page exhibits a Windows bias in the 'Server level (Windows apps only)' section, where it provides detailed instructions for configuring authorization using IIS and web.config, which are exclusive to Windows. There is no equivalent example or guidance for Linux-based App Service apps. Additionally, the section is presented before any mention of Linux alternatives, and no Linux-native tools or configuration patterns are discussed.
Recommendations:
- Add a parallel section for Linux-based App Service apps, providing equivalent guidance for configuring authorization (e.g., using middleware in common frameworks like Node.js, Python, or .NET Core).
- Explicitly state that Linux apps require different approaches and link to relevant documentation or examples for Linux environments.
- Where possible, present Windows and Linux options side-by-side to avoid the perception of Windows as the default or preferred platform.
- Include sample code or configuration for popular Linux web servers (e.g., Nginx, Apache) or application-level authorization patterns.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-09-15 00:00 | #112 | completed | ❌ Biased |
| 2025-08-15 00:01 | #81 | in_progress | ❌ Biased |
| 2025-07-13 21:37 | #48 | completed | ❌ Biased |
| 2025-07-13 21:25 | #47 | cancelled | ✅ Clean |
| 2025-07-13 20:48 | #44 | cancelled | ❌ Biased |
| 2025-07-09 13:09 | #3 | cancelled | ✅ Clean |
| 2025-07-08 04:23 | #2 | cancelled | ❌ Biased |
Flagged Code Snippets
5. Select **Put**.
This setting appends the `domain_hint` query string parameter to the sign-in redirect URL.
> [!IMPORTANT]
> It's possible for the client to remove the `domain_hint` parameter after receiving the redirect URL, and then sign in with a different domain. So although this function is convenient, it's not a security feature.
## Authorize or deny users
App Service takes care of the simplest authorization case, for example, reject unauthenticated requests. Your app might require more fine-grained authorization behavior, such as limiting access to only a specific group of users.
You might need to write custom application code to allow or deny access to the signed-in user. In some cases, App Service or your identity provider might be able to help without requiring code changes.
### Server level (Windows apps only)
For any Windows app, you can define authorization behavior of the IIS web server by editing the `web.config` file. Linux apps don't use IIS and can't be configured through `web.config`.
1. To go to the Kudu debug console for your app, select **Development Tools** > **Advanced Tools** and select **Go**. Then select **Debug console**.
You can also open this page with this URL: `https://<app-name>-<random-hash>.scm.<region>.azurewebsites.net/DebugConsole`. To get the random hash and region values, in your app **Overview**, copy **Default domain**.
1. In the browser explorer of your App Service files, go to `site/wwwroot`. If `web.config` doesn't exist, create it by selecting **+** > **New File**.
1. Select the pencil for `web.config` to edit the file. Add the following configuration code, and then select **Save**. If `web.config` already exists, just add the `<authorization>` element with everything in it. In the `<allow>` element, add the accounts that you want to allow.