Restricting access to your Azure Web Application

As you may know almost everything that is deployed to Azure is publicly available. As with Azure SQL Database you do not have a firewall available for Azure Web Applications. That means other options need to be used to restrict access to Azure Web Application.

Restrict access by IP

A possible option is to restrict access to your application by IP addresses. The IP addresses can be added as a allowed IP address within the web.config of your application. All other IP addresses will get a 403 Forbidden response from Azure.

      <ipSecurity allowUnlisted="false">
        <clear />
        <add ipAddress="" allowed="true" />

Restrict access for specific Users

Another option is to restrict access by enabling Authentication on the web application. This can be done for several Authentication Providers like: Azure Active Directory, Google, Facebook, Twitter and Microsoft. The below steps will help you with the configuration of Azure Active Directory as a authentication provider.

  1. In the Azure Portal navigate to the blade of the web application.

Authentication / Authorization

  1. Click on “Authentication/Authorization” and select “On”.
  2. Activating this option will give you several options for Authentication Providers. For know we will select Azure Active Directory.

Azure Active Directory

  1. Because there isn’t a pre-configured application select the “Express” option. This option will register the Enterprise application within Azure Active Directory for us, or let you select a existing.

Configure Authentication

  1. Clicking “Save” on this blade will register the application within Azure Active Directory. From there users can be granted access to the application.
  2. To grant users access to the application open the Azure Active Directory blade within the Azure Portal and select Enterprise Applications.

Enterprise Applications

  1. In the Enterprise Applications blade select “All Applications” to see a list of all applications that are registered within Azure Active Directory.

Enterprise Application List

  1. From this list select the application. This will open the blade of the specific application.
  2. In the blade select “Users and Groups”.

Users for Azure Active Directory Application

  1. In the “Users and Groups” blade all users are shown that are granted access to the application. From here you can a add users to give them access.

Restrict Crawling

When you are developing or testing a site that has anonymous content you probably want the content not to be crawled by spiders or bots because many traffic can come from bots and spiders. Stopping the crawling can be done by placing a file called “robots.txt” at the root of your web application with the following content.

User-agent: *  
Disallow: / 

Related Posts

Azure DevOps Automation A couple of weeks ago the rename / rebranding of Visual Studio Team Services to Azure DevOps was announced. The rebranding is a great step forward int...
AKS (Kubernetes) and no connection could be made because the target machine acti... A client of my had an error while connecting to different resources within their Kubernetes cluster in Azure (AKS). Kubectl error On the kubectl com...
Kubernetes (AKS) attached to Azure Storage (Files) Kubernetes (AKS) can be used for many situations. For a client we needed to make files available trough a Kubernetes Pod. The files needed to be share...
Resource Group deployment via ARM templates When deploying an Azure Resource Manager (ARM) template you have to create a resource group within Azure. To deploy a template via script your script ...
Azure Managed Service Identity and Local Development Instead of storing user credentials of an external system in a configuration file, you should store them in the Azure Key Vault. Before MSI (Managed S...
The securitydata Azure resource group Most of the times companies have rules in place for managing their Azure environment. The main rules that should be in place are “Azure Policies” and ...


  1. What exactly happens when someone try to access the page, does he/she get a popup to enter credentials?

    • Hi Chris,

      Depends on which action you choose:
      – Firewall: Do not know exactly but opening the page from a restricted IP will not open the page.
      – User: All users will be asked to login. Depending on who logins the user will be redirected or get of 403 – access denied

  2. Hi, we created two guest accounts under azure active directory, only assigned one account permission to an application following the article, but after log in as another account, rather than getting 403, it was given access.

    • If I’m not mistaken you should do some additional settings. The application will get registered within Azure Active Directory. Open the AAD blade and click on “Enterprise Application” and search for your app.
      In the application blade click on “properties” and the set the setting: “user assignment required” to “yes”. By default this property is set to no if not mistaken.

      Let me know if this worked? I will then update the blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.