az containerapp auth
Note
This command group has commands that are defined in both Azure CLI and at least one extension. Install each extension to benefit from its extended capabilities. Learn more about extensions.
Manage containerapp authentication and authorization.
Commands
| Name | Description | Type | Status | 
|---|---|---|---|
| az containerapp auth apple | Manage containerapp authentication and authorization of the Apple identity provider. | Core | GA | 
| az containerapp auth apple show | Show the authentication settings for the Apple identity provider. | Core | GA | 
| az containerapp auth apple update | Update the client id and client secret for the Apple identity provider. | Core | GA | 
| az containerapp auth facebook | Manage containerapp authentication and authorization of the Facebook identity provider. | Core | GA | 
| az containerapp auth facebook show | Show the authentication settings for the Facebook identity provider. | Core | GA | 
| az containerapp auth facebook update | Update the app id and app secret for the Facebook identity provider. | Core | GA | 
| az containerapp auth github | Manage containerapp authentication and authorization of the GitHub identity provider. | Core | GA | 
| az containerapp auth github show | Show the authentication settings for the GitHub identity provider. | Core | GA | 
| az containerapp auth github update | Update the client id and client secret for the GitHub identity provider. | Core | GA | 
| az containerapp auth google | Manage containerapp authentication and authorization of the Google identity provider. | Core | GA | 
| az containerapp auth google show | Show the authentication settings for the Google identity provider. | Core | GA | 
| az containerapp auth google update | Update the client id and client secret for the Google identity provider. | Core | GA | 
| az containerapp auth microsoft | Manage containerapp authentication and authorization of the Microsoft identity provider. | Core | GA | 
| az containerapp auth microsoft show | Show the authentication settings for the Azure Active Directory identity provider. | Core | GA | 
| az containerapp auth microsoft update | Update the client id and client secret for the Azure Active Directory identity provider. | Core | GA | 
| az containerapp auth openid-connect | Manage containerapp authentication and authorization of the custom OpenID Connect identity providers. | Core | GA | 
| az containerapp auth openid-connect add | Configure a new custom OpenID Connect identity provider. | Core | GA | 
| az containerapp auth openid-connect remove | Removes an existing custom OpenID Connect identity provider. | Core | GA | 
| az containerapp auth openid-connect show | Show the authentication settings for the custom OpenID Connect identity provider. | Core | GA | 
| az containerapp auth openid-connect update | Update the client id and client secret setting name for an existing custom OpenID Connect identity provider. | Core | GA | 
| az containerapp auth show | Show the authentication settings for the containerapp. | Core | GA | 
| az containerapp auth show (containerapp extension) | Show the authentication settings for the containerapp. | Extension | GA | 
| az containerapp auth twitter | Manage containerapp authentication and authorization of the Twitter identity provider. | Core | GA | 
| az containerapp auth twitter show | Show the authentication settings for the Twitter identity provider. | Core | GA | 
| az containerapp auth twitter update | Update the consumer key and consumer secret for the Twitter identity provider. | Core | GA | 
| az containerapp auth update | Update the authentication settings for the containerapp. | Core | GA | 
| az containerapp auth update (containerapp extension) | Update the authentication settings for the containerapp. | Extension | GA | 
az containerapp auth show
Show the authentication settings for the containerapp.
az containerapp auth show [--ids]
                          [--name]
                          [--resource-group]
                          [--subscription]Examples
Show the authentication settings for the containerapp.
az containerapp auth show --name my-containerapp --resource-group MyResourceGroupOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The name of the Containerapp. A name must consist of lower case alphanumeric characters or '-', start with a letter, end with an alphanumeric character, cannot have '--', and must be less than 32 characters.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az containerapp auth show (containerapp extension)
Show the authentication settings for the containerapp.
az containerapp auth show [--ids]
                          [--name]
                          [--resource-group]
                          [--subscription]Examples
Show the authentication settings for the containerapp.
az containerapp auth show --name my-containerapp --resource-group MyResourceGroupOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The name of the Containerapp. A name must consist of lower case alphanumeric characters or '-', start with a letter, end with an alphanumeric character, cannot have '--', and must be less than 32 characters.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az containerapp auth update
Update the authentication settings for the containerapp.
az containerapp auth update [--action --unauthenticated-client-action {AllowAnonymous, RedirectToLoginPage, Return401, Return403}]
                            [--config-file-path]
                            [--custom-host-header --proxy-custom-host-header]
                            [--custom-proto-header --proxy-custom-proto-header]
                            [--enabled {false, true}]
                            [--excluded-paths]
                            [--ids]
                            [--name]
                            [--proxy-convention {Custom, NoProxy, Standard}]
                            [--redirect-provider]
                            [--require-https {false, true}]
                            [--resource-group]
                            [--runtime-version]
                            [--sas-url-secret]
                            [--sas-url-secret-name]
                            [--set]
                            [--subscription]
                            [--token-store {false, true}]
                            [--yes]Examples
Update the client ID of the AAD provider already configured.
az containerapp auth update -g myResourceGroup --name my-containerapp --set identityProviders.azureActiveDirectory.registration.clientId=my-client-idConfigure the app with file based authentication by setting the config file path.
az containerapp auth update -g myResourceGroup --name my-containerapp --config-file-path D:\home\site\wwwroot\auth.jsonConfigure the app to allow unauthenticated requests to hit the app.
az containerapp auth update -g myResourceGroup --name my-containerapp --unauthenticated-client-action AllowAnonymousConfigure the app to redirect unauthenticated requests to the Facebook provider.
az containerapp auth update -g myResourceGroup --name my-containerapp --redirect-provider FacebookConfigure the app to listen to the forward headers X-FORWARDED-HOST and X-FORWARDED-PROTO.
az containerapp auth update -g myResourceGroup --name my-containerapp --proxy-convention StandardOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The action to take when an unauthenticated client attempts to access the app.
| Property | Value | 
|---|---|
| Accepted values: | AllowAnonymous, RedirectToLoginPage, Return401, Return403 | 
The path of the config file containing auth settings if they come from a file.
The name of the header containing the host of the request.
The name of the header containing the scheme of the request.
True if the Authentication / Authorization feature is enabled for the current app; otherwise, false.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
The list of paths that should be excluded from authentication rules.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The name of the Containerapp. A name must consist of lower case alphanumeric characters or '-', start with a letter, end with an alphanumeric character, cannot have '--', and must be less than 32 characters.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The convention used to determine the url of the request made.
| Property | Value | 
|---|---|
| Accepted values: | Custom, NoProxy, Standard | 
The default authentication provider to use when multiple providers are configured.
False if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The RuntimeVersion of the Authentication / Authorization feature in use for the current app.
The blob storage SAS URL to be used for token store.
The secret name that contains blob storage SAS URL to be used for token store.
Value of a specific field within the configuration settings for the Azure App Service Authentication / Authorization feature.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Boolean indicating if token store is enabled for the app.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
Do not prompt for confirmation.
| Property | Value | 
|---|---|
| Default value: | False | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az containerapp auth update (containerapp extension)
Update the authentication settings for the containerapp.
az containerapp auth update [--action --unauthenticated-client-action {AllowAnonymous, RedirectToLoginPage, Return401, Return403}]
                            [--bci --blob-container-identity]
                            [--blob-container-uri]
                            [--config-file-path]
                            [--custom-host-header --proxy-custom-host-header]
                            [--custom-proto-header --proxy-custom-proto-header]
                            [--enabled {false, true}]
                            [--excluded-paths]
                            [--ids]
                            [--name]
                            [--proxy-convention {Custom, NoProxy, Standard}]
                            [--redirect-provider]
                            [--require-https {false, true}]
                            [--resource-group]
                            [--runtime-version]
                            [--sas-url-secret]
                            [--sas-url-secret-name]
                            [--set]
                            [--subscription]
                            [--token-store {false, true}]
                            [--yes]Examples
Update the client ID of the AAD provider already configured.
az containerapp auth update -g myResourceGroup --name my-containerapp --set identityProviders.azureActiveDirectory.registration.clientId=my-client-idConfigure the app with file based authentication by setting the config file path.
az containerapp auth update -g myResourceGroup --name my-containerapp --config-file-path D:\home\site\wwwroot\auth.jsonConfigure the app to allow unauthenticated requests to hit the app.
az containerapp auth update -g myResourceGroup --name my-containerapp --unauthenticated-client-action AllowAnonymousConfigure the app to redirect unauthenticated requests to the Facebook provider.
az containerapp auth update -g myResourceGroup --name my-containerapp --redirect-provider FacebookConfigure the app to listen to the forward headers X-FORWARDED-HOST and X-FORWARDED-PROTO.
az containerapp auth update -g myResourceGroup --name my-containerapp --proxy-convention StandardConfigure the blob storage token store using default system assigned managed identity to authenticate.
az containerapp auth update -g myResourceGroup --name my-containerapp --token-store true --blob-container-uri https://storageAccount1.blob.core.windows.net/container1Configure the blob storage token store using user assigned managed identity to authenticate.
az containerapp auth update -g myResourceGroup --name my-containerapp --token-store true --blob-container-uri https://storageAccount1.blob.core.windows.net/container1 --blob-container-identity managedIdentityResourceIdOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The action to take when an unauthenticated client attempts to access the app.
| Property | Value | 
|---|---|
| Accepted values: | AllowAnonymous, RedirectToLoginPage, Return401, Return403 | 
Default Empty to use system-assigned identity, or using Resource ID of a managed identity to authenticate with Azure blob storage.
The URI of the blob storage containing the tokens. Should not be used along with sas_url_secret and sas_url_secret_name.
The path of the config file containing auth settings if they come from a file.
The name of the header containing the host of the request.
The name of the header containing the scheme of the request.
True if the Authentication / Authorization feature is enabled for the current app; otherwise, false.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
The list of paths that should be excluded from authentication rules.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The name of the Containerapp. A name must consist of lower case alphanumeric characters or '-', start with a letter, end with an alphanumeric character, cannot have '--', and must be less than 32 characters.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The convention used to determine the url of the request made.
| Property | Value | 
|---|---|
| Accepted values: | Custom, NoProxy, Standard | 
The default authentication provider to use when multiple providers are configured.
False if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
The RuntimeVersion of the Authentication / Authorization feature in use for the current app.
The blob storage SAS URL to be used for token store.
The secret name that contains blob storage SAS URL to be used for token store.
Value of a specific field within the configuration settings for the Azure App Service Authentication / Authorization feature.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value | 
|---|---|
| Parameter group: | Resource Id Arguments | 
Boolean indicating if token store is enabled for the app.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
Do not prompt for confirmation.
| Property | Value | 
|---|---|
| Default value: | False | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False |