ARM Template Web App Authentication Settings not working

Question

I am working on setting up my site authentication settings to use the AAD provider. Most of the template is respected. However, the unauthenticatedClientAction and allowedAudiences is not being properly assigned. I observe 'allow anonymous' and no 'allowed audiences' being assigned.

Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.

Additionally, create an issue for the ARM documentation team to correct any issues.

Here is my template segment for these settings. It is nested under resources in my website template.

root > Microsoft.Web/Site > Resources

{
    "type": "config",
    "name": "web",
    "apiVersion": "2016-08-01",
    "location": "[parameters('app-location')]",
    "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
    ],
    "properties": {
        "siteAuthEnabled": true,
        "siteAuthSettings": {
            "enabled": true,
            "unauthenticatedClientAction": "RedirectToLoginPage",
            "tokenStoreEnabled": true,
            "defaultProvider": "AzureActiveDirectory",
            "clientId": "[parameters('web-aad-client-id')]",
            "issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
            "allowedAudiences": [
                "[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
            ]
        }
    }
}

• Template Validates
• Deployment does not output any errors

Issues:

1. unauthenticatedClientAction is assigned allow anonymous not RedirectToLoginPage
2. allowedAudiences is not assigned any sites

What could be causing these issues? What could I have missed?

Answer 1

I got my answer after working with the fine people at Azure Support.

Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.

This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.

The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.

Updated ARM Template (removed other settings for brevity)

{
    "name": "[variables('app-service-name')]",
    "type": "Microsoft.Web/sites",
    "location": "[parameters('app-location')]",
    "apiVersion": "2016-08-01",
    "dependsOn": [
        "[variables('app-plan-name')]"
    ],
    "properties": {
        //... other app service settings
        "siteAuthSettings": {
            "enabled": true,
            "unauthenticatedClientAction": "RedirectToLoginPage",
            "tokenStoreEnabled": true,
            "defaultProvider": "AzureActiveDirectory",
            "clientId": "[parameters('web-aad-client-id')]",
            "issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
            "allowedAudiences": [
                "[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
            ]
        }
    }
}