Skip to main content

Azure EasyAuth Provider

The Backstage core-plugin-api package comes with a Microsoft authentication provider that can authenticate users using Azure Active Directory for PaaS service hosted in Azure that support Easy Auth, such as Azure App Services.

Backstage Changes

Add the following into your app-config.yaml or app-config.production.yaml file

environment: development
development: {}

Add a providerFactories entry to the router in packages/backend/src/plugins/auth.ts.

import { providers } from '@backstage/plugin-auth-backend';

export default async function createPlugin(
env: PluginEnvironment,
): Promise<Router> {
const authProviderFactories = {
'azure-easyauth': providers.easyAuth.create({
signIn: {
resolver: async (info, ctx) => {
const {
fullProfile: { id },
} = info.result;

if (!id) {
throw new Error('User profile contained no id');

return await ctx.signInWithCatalogUser({
annotations: {
'': id,

return await createRouter({
logger: env.logger,
config: env.config,
database: env.database,
discovery: env.discovery,
tokenManager: env.tokenManager,
providerFactories: authProviderFactories,

Now the backend is ready to serve auth requests on the /api/auth/azure-easyauth/refresh endpoint. All that's left is to update the frontend sign-in mechanism to poll that endpoint through the IAP, on the user's behalf.

Frontend Changes

To use this component, you'll need to configure the app's SignInPage. It is recommended to use the ProxiedSignInPage for this provider when running in Azure, However for local development (or any other scenario running outside of Azure), you'll want to set up something different. For the closest experience to Easy Auth, you could set up the microsoft provider locally, but that will requires setting up App Registrations & secrets which may be locked down by your organisation, in which case it may be easier to use guest login locally. See Sign-In with Proxy Providers for more details.

import { ProxiedSignInPage } from '@backstage/core-components';

const app = createApp({
components: {
SignInPage: props => {
const configApi = useApi(configApiRef);
if (configApi.getString('auth.environment') !== 'development') {
return <ProxiedSignInPage {...props} provider="azure-easyauth" />;
return (
providers={['guest', 'custom']}
title="Select a sign-in method"
// ..

Azure Configuration

How to configure azure depends on the service you're enable AAD auth on the app service.

Azure App Services

To use EasyAuth with App Services, turn on Active Directory authentication You must also enable the token store.

The following example shows how to do this via a bicep template:

resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {

resource authConfig 'config' = {
name: 'authsettingsV2'
properties: {
globalValidation: {
redirectToProvider: 'AzureActiveDirectory'
requireAuthentication: true
unauthenticatedClientAction: 'RedirectToLoginPage'
login: {
tokenStore: {
enabled: true
platform: {
enabled: true
identityProviders: {
azureActiveDirectory: {
enabled: true
login: {
loginParameters: [ 'domain_hint=MYCOMPANY.COM' ]
registration: {
clientId: 'CLIENT-ID'
clientSecretSettingName: 'CLIENT-SECRET-NAME'
openIdIssuer: '${tenant().tenantId}/v2.0'