How to activate Azure Active Directory Authentication for an App Service while avoiding “You do not have permission to view this directory or page.” errors

  1. In the App Service’s Authentication / Authorization menu blade
    1. Set App Service Authentication to On
    2. Action to take when request is not authentication should be Log in with Azure Active Directory
    3. Create a new Azure AD App
    4. Test logging into your web app and confirm it doesn’t work, failing with this error message You do not have permission to view this directory or page.
  2. Then, in your organization’s Azure Active Directory section
    1. Go to App registrations -> YourApp -> API permissions
    2. Remove any PowerApps Runtime Service permissions (in my case, it was user_impersonation)
    3. Wonder why it was necessary for this permission to be added by default, then go on with your life

How to log into the right subscription using the Azure CLI

az login --tenant <your-tenant-id>

# check your subscriptions, see what's default and what's not
az account list --output table

# just in case you want to see the tenants, too
az account list --output table --query "[].{tenant:homeTenantId, name:name, id_:id, isDefault: isDefault, state:state}"

# set the default subscription, this is the one you'll run your commands against
az account set --subscription "<your-subscription-id>"

Naming guidelines/conventions for Azure resources

These guides from Microsoft Learn are quite good:

Ip Forbidden (CODE: 403) when trying to deploy an Azure Function from a GitHub action

The error message:

  Error: Failed to fetch Kudu App Settings.
Ip Forbidden (CODE: 403)
    at Kudu.<anonymous> (/home/runner/work/_actions/Azure/functions-action/v1/lib/appservice-rest/Kudu/azure-app-kudu-service.js:69:23)
    at (<anonymous>)
    at fulfilled (/home/runner/work/_actions/Azure/functions-action/v1/lib/appservice-rest/Kudu/azure-app-kudu-service.js:5:58)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

In my case, the Azure Function’s Networking policy had been changed to Public network access=Disabled. Solved this by adding a private endpoint to the function, setting Integrate with private DNS zone = No.