on:  Static websites
Search
List of notes
Published: August 2025
This article is part of a series on: Configuring Azure static web apps.
  1. Create a new Static Web App
  2. Use a custom domain
  3. Authorisation configuration
  4. Blocking an authentication provider
  5. Become co-owner of a subscription
  6. API configuration

Blocking an authentication provider

According to the documentation it is possible to block an authentication provider. That is a sensible thing to do. Twitter and later X was among the default providers, and given its owner/CEO and his (non-)concerns for the well-being of its users/customers, that's not one I would trust to be really safe and have no hackable backdoor. The safest option would be to block all providers except the ones you really are going to need. But that is a challenge as the Static Web App authentication seems not to be designed with such security in mind.

Blocking a provider

The documentation states that a provider can be blocked by adding a provider-specific rule in the configuration. E.g.;

{
  ...
  "routes": [
    ...
    {
      "route": "/.auth/login/github",
      "statusCode": 404
    }
    ...
  ],
  ...
}

That works. But you have to know all of the providers, and add a rule for each of them. That is really not the way to do it, as a change in the Static Web Apps platform may enable new providers before the website has a change to react. A related issue is already open for four years, so apparently Microsoft doesn't care about this.

The 404 is also not very user friendly, it would be better to redirect to the allowed provider or to a page explaining which ones are allowed.

Workaround to block all?

Based on the way routing works, you could think of a few workarounds. The obvious test is to check whether a wildcard would work:

    {
      "route": "/.auth/login/*",
      "statusCode": 404
    }
}

That doesn't work at all. Entering the URL https://<mydomain>/.auth/login/github in a browser redirects to a login page for a GitHub account.

The only way to block a provider is the documented one, or at least: specify a route for a specific provider. Apparently because the blocking mechanism does not use the routing system but only the configuration of the routing system, and then applies its own routing rules.

Workaround to redirect?

While experimenting with various route configurations, I noticed that some of the routing is still working if a route for a specific provider is specified. So perhaps we can get rid of the 404 and do a redirect after all.

The most obvious solution seems to be to redirect to the login page:

    {
      "route": "/.auth/login/github",
      "redirect": "/login",
      "statusCode": 302
    }
}

That doesn't work. Entering the URL https://<mydomain>/.auth/login/github in a browser returns a blank page instead of a redirect. Well, at least you can't use the authentication provider but it is not user friendly.

But rewrites do work:

    {
      "route": "/.auth/login/github",
      "rewrite": "/.auth/login/aad",
    }
}

Entering the URL https://<mydomain>/.auth/login/github in a browser redirects to the login page for a personal/Entra ID Microsoft account. However, as this is an undocumented behaviour, it is not really secure. Microsoft could change the implementation and then the provider would be accessible again.