Using Azure App Service Authentication with ASP.NET (Classic) MVC Applications

2 minute read • December 21, 2016

Adrian Hall (MSFT)
Azure App Service has a facility called "Authentication / Authorization" and it assists primarily with the authentication requirements of Azure Mobile Apps. However, you can also use this in your web applications to abstract away the authentication needs. This makes it easy to integrate Facebook, Google, Microsoft Account, Twitter and Azure AD authentication schemes. This blog post will go through the process of configuring an ASP.NET MVC application to use Azure App Service Authentication.

Step 1: Configure Azure App Service Authentication / Authorization

You can follow our documentation to configure the actual service: Once you have followed the documentation, you should be able to browse to (where provider is one of aad, facebook, google, microsoftaccount or twitter) to ensure it is working.

Add Azure Mobile Apps to your ASP.NET MVC application

The Azure Mobile Apps .NET Server SDK does a lot of the hard work in handling claims. To configure authentication, first add the Microsoft.Azure.Mobile.Server.Quickstart NuGet package. Then add or create a Startup.cs file with the following:
using Microsoft.Owin;
using Owin;

[assembly: OwinStartup(typeof(Backend.Startup))]
namespace Backend
    public partial class Startup
        public void Configuration(IAppBuilder app)
Add a suitable App_Start\Startup.MobileApp.cs file:
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Data.Entity;
using System.Data.Entity.Migrations;
using System.Web.Http;
using Backend.DataObjects;
using Backend.Models;
using Microsoft.Azure.Mobile.Server.Authentication;
using Microsoft.Azure.Mobile.Server.Config;
using Owin;

namespace Backend
    public partial class Startup
        public static void ConfigureMobileApp(IAppBuilder app)
            var config = new HttpConfiguration();

            new MobileAppConfiguration()


            var settings = config.GetMobileAppSettingsProvider().GetMobileAppSettings();
            if (string.IsNullOrEmpty(settings.HostName))
                app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions
                    SigningKey = ConfigurationManager.AppSettings["SigningKey"],
                    ValidAudiences = new[] { ConfigurationManager.AppSettings["ValidAudience"] },
                    ValidIssuers = new[] { ConfigurationManager.AppSettings["ValidIssuer"] },
                    TokenHandler = config.GetAppServiceTokenHandler()

Finally, add the following to your Web.config file:
    <add key="webpages:Enabled" value="false" />
    <add key="PreserveLoginUrl" value="true" />
    <add key="MS_SigningKey" value="Overridden by portal settings" />
    <add key="EMA_RuntimeUrl" value="Overridden by portal settings" />
    <add key="MS_NotificationHubName" value="Overridden by portal settings" />
    <add key="SigningKey" value="Overridden by portal settings" />
    <add key="ValidAudience" value="" />
    <add key="ValidIssuer" value="" />
    <compilation debug="true" targetFramework="4.5.2"/>
    <httpRuntime targetFramework="4.5.2"/>
    <authentication mode="Forms">
      <forms loginUrl="/.auth/login/aad" timeout="2880"/>
Some parts of this will already be available to you. Make sure the loginUrl in the authentication section matches the provider login URL for the provider that you configured. You should now be able to attach the [Authorize] attribute to any controller to enable the redirect to the authentication system. The authentication will happen and then the user will be prompted to "return to the website". Once the link is clicked, the user will be redirected back to your application with authentication. Your application can use any of the claims available through the /.auth/me endpoint of your application. They are available in the httpContext.User.Identity.Claims object.

Dealing with Anti-Forgery Tokens

One thing that will break is anti-forgery tokens. This is because Azure App Service Authentication does not provide the appropriate identityprovider claim that anti-forgery tokens use for configuration. You have to explicitly set a claim to use. This can be done anywhere in the application start. I place mine in the MVC RegisterRoutes() method in App_Start\RouteConfig.cs. Add the following line:
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;