Azure Stack App Service

  • You want to add an Azure App Service resource provider to your Azure Stack deployment.
  • You’re running Azure Stack in an isolated environment secured by Active Directory Federation Services (AD FS).
  • You want to give your tenants the capability to create web, mobile, and API applications–and Azure Functions applications–with their Azure Stack subscription.

To do so, follow the steps in this article.

LAB : Azure Stack – Add an App Service Resource Provider to a Disconnected Azure Stack Environment Secured by AD FS


Task 1 : Download the required components

 Save it to​​ C:\AppServiceInstaller\AppService.exe

Extract the files from the helper scripts zip file to​​C:\AppServiceDeployHelper. Once extracted the following files and folder structure appear:

  • C:\AppServiceDeployHelper\Create-AppServiceCerts.ps1
  • C:\AppServiceDeployHelper\Create-IdentityApp.ps1
  • C:\AppServiceDeployHelper\Modules\AzureStack.Identity.psm1
  • C:\AppServiceDeployHelper\Modules\GraphAPI.psm1

Task 2 : Create an offline​​ installation package

To deploy App Service in an isolated environment, you must create an offline installation package from a machine that connects to the Internet.

  • Run the App Service on Azure Stack preview installer (AppService.exe) from a machine that’s​​ connected to the Internet.
  • Click the Advanced tab, and click Create offline installation package.

  • The App Service installer creates an offline installation package, displays the path, and gives an option to open the folder.
  • Copy the App Service on​​ Azure Stack preview installer (AppService.exe) and the offline installation package to the Azure Stack host machine.

Task 3 : Create certificates required by App Service on Azure Stack

This first script works with the Azure Stack certificate authority to​​ create three certificates that are needed by App Service. Run the script on the Azure Stack Host ensuring you are running PowerShell as​​ azurestack\AzureStackAdmin:

  • Execute the​​ C:\AppServiceDeployHelper\Create-AppServiceCerts.ps1​​ script. The script​​ creates three certificates, in the same folder as the create certificates script, that are needed by App Service.

Enter a password to secure the​​ .pfx​​ files and make a note of it as you need to enter it in the App Service on Azure Stack Installer.

Create-AppServiceCerts.ps1 Parameters

pfxPassword Required Null Password used to protect the certificate private key
DomainName Required Local.azurestack.external Azure Stack region and Domain Suffix
CertificateAuthority Required AzS- CA01.azurestack.local Certificate Authority Endpoint

Task 4 : Complete the offline installation of App Service on Azure Stack



You MUST use an elevated account (local or domain administrator) to execute the​​ installer. If you sign in as a user, you’re prompted for elevated credentials.

  • Run​​ C:\AppServiceInstaller\AppService.exe​​ as​​ azurestack\AzureStackAdmin.
  • Click the Advanced tab, and click Complete offline installation.
  • Specify the location of the offline installation package you previously created, and click Next.
  • Review and accept the Microsoft Software Prerelease License Terms, and click Next.
  • Review and accept the third-party license terms, and click Next.
  • Review the App Service cloud configuration​​ information, and click Next.

The App Service on Azure Stack installer provides the default values for a one-node Azure Stack installation. If you customized options when you deployed Azure Stack (for example, the domain suffix), you need to edit​​ the values in this window accordingly. For example, if you use the domain suffix, your admin Azure Resource Manager endpoint needs to change to adminmanagement.[region]

  • Click the Connect button next to the Azure Stack Subscriptions box. Enter:

Username -​​ AzureStackAdmin@azurestack.local​​ 

Password –​​ Pa55w.rd1234

Click Sign In.

  • Select your subscription in the Azure Stack Subscriptions box.
  • In the Azure Stack Locations box, select the location that corresponds to the region you’re​​ deploying. For example, select local. Click Next.
  • Enter the Resource Group Name for your App Service deployment. By default, it’s set to APPSERVICE-LOCAL.
  • Enter the Storage Account Name you want App Service to create as part of the installation. By default, it’s set to appsvclocalstor.
  • Enter the SQL Server details for the instance that’s used to host the App Service resource provider databases. Click Next, and the installer validates the SQL connection properties.
  • Click the Browse button next to the App Service default SSL certificate file box. Go to the _.appservice.local.AzureStack.external certificate created earlier.​​ If you specified a different location and domain suffix when you created the certificate, select the corresponding certificate.
  • Enter the​​ certificate password that you set when you created the certificate.
  • Click the Browse button next to the Resource provider SSL certificate file box. Go to the api.appservice.local.AzureStack.external certificate created earlier. If you specified a different location and domain suffix when you created the certificate, select the corresponding certificate.
  • Enter the certificate password that you set when you created the certificate.
  • Click the Browse button next to the Resource provider root certificate file box. Go to the AzureStackCertificationAuthority certificate created earlier.
  • Click Next. The installer verifies the certificate password provided.
  • Review the App Service role configuration. The defaults are populated with the minimum recommended instance SKUs for each role. A summary of core and memory requirements is provided to help plan your deployment. After you make your selections, click Next.
    • Controller: By default, one Standard A1 instance is selected. This is the minimum we recommend. The​​ Controller role is responsible for managing and maintaining the health of the App Service cloud.
    • Management: By default, one Standard A2 instance is selected. To provide failover, we recommend two instances. The Management role is responsible for the App Service Azure Resource Manager and API endpoints, portal extensions (admin, tenant, Functions portal), and the data service.
    • Publisher: By default, one Standard A1 instance is selected. This is the minimum we recommend. The Publisher role is responsible for​​ publishing content via FTP and web deployment.
    • FrontEnd: By default, one Standard A1 instance is selected. This is the minimum we recommend. The FrontEnd role is responsible for routing requests to App Service applications.
    • Shared Worker: By default, one​​ Standard A1 instance is selected, but you might want to add more. As an administrator, you can define your offering and choose any SKU tier. The tiers must have a minimum of one core. The Shared Worker role is responsible for hosting web, mobile, or API applications and Azure Functions apps.

In the technical previews, the App Service resource provider installer also deploys a Standard A1 instance to operate as a simple file server to support the Azure Resource Manager. This remains for a single-node​​ point of contact. For production workloads, at general availability the App Service installer enables the use of a high-availability file server.

  • Choose your deployment Windows Server 2016 VM image from those available in the compute resource provider for​​ the App Service cloud. Click Next.
  • Enter a user name and password for the Worker roles configured in the App Service cloud. Enter a user name and password for all other App Service roles.​​ 

Username – AppSvcAdmin

Password – Pa55w.rd1234

Click Next.

  • On​​ the summary screen, verify the selections you made. To make changes, go back through the screens and modify your selections. If the configuration is how you want it, select the check box. To start the deployment, click Next.
  • Track the installation progress. App Service on Azure Stack takes about 45 to 60 minutes to deploy based on the default selections.
  • After the installer successfully finishes, click Exit.

Task 5 : Configure an AD FS service principal for virtual machine scale set integration on Worker tiers and SSO for the Azure Functions portal and advanced developer tools


These steps apply to AD FS secured Azure Stack environments only.

Administrators need to configure SSO to:

  • Configure a service principal for virtual machine scale set​​ integration on Worker tiers.
  • Enable the advanced developer tools within App Service (Kudu).
  • Enable the use of the Azure Functions portal experience.

Follow these steps:

  • Open a​​ PowerShell​​ instance as​​ azurestack\AzureStackAdmin.
  • Go to the location of the​​ scripts downloaded and extracted in​​ Task 1.
  • Install and configure an Azure Stack PowerShell environment.
  • In the same PowerShell​​ session, run the C:\AppServiceDeployHelper\Create-IdentityApp.ps1 script. When you’re prompted for your Azure Active Directory​​ (Azure AD) tenant ID, enter ADFS.
  • In the Credential window, enter:

Username :​​ AzureStackAdmin@azurestack.local

Password :​​ Pa55w.rd1234

Click OK.

Parameter Required/optional Default value Description
DirectoryTenantName Mandatory Null Use ADFS for the AD​​ FS environment
TenantAzure Resource ManagerEndpoint Mandatory management.local.azurestack.external The tenant Azure Resource Manager endpoint
AzureStackCredential Mandatory Null The AD FS service admin account
CertificateFilePath Mandatory Null Path to​​ the identity application certificate file generated earlier
CertificatePassword Mandatory Null Password used to protect the certificate private key
DomainName Required local.azurestack.external Azure Stack region and domain suffix
AdfsMachineName Optional AD FS machine name, for example, AzS-ADFS01.azurestack.local  
  • Enter the certificate file path and certificate password for the certificate created earlier. The certificate created for this step by default is​​ sso.appservice.local.azurestack.external.pfx.
  • The script creates a new application in the tenant Azure AD and generates a new PowerShell script.
  • Copy the identity app certificate file and the generated script to the CN0-VM by using a remote desktop​​ session.
  • Return to CN0-VM.
  • Open an administrator PowerShell window, and browse to the directory where the script file and certificate were copied in step 7.
  • Run the script file. This script file enters the properties in the App Service on Azure Stack configuration and initiates a repair operation on all FrontEnd and Management roles.

Task 6 : Validate the App Service on Azure Stack installation

  • In the Azure Stack admin portal, browse to the resource group created by the installer. By default, this group is APPSERVICE-LOCAL.
  • Locate the CN0-VM. To connect to the VM, click Connect on the Virtual Machine blade.
  • On the desktop of this VM, double-click Web Cloud Management Console.
  • Go to Managed Servers.
  • When all the machines display Ready for one or more Workers,​​ proceed to step 6.
  • Close the remote desktop machine, and return to the machine where you executed the App Service installer.

You don’t need to wait for one or more Workers to display Ready to complete the installation of App Service on Azure Stack.​​ However, you need a minimum of one Worker that’s ready to deploy a web, mobile, or API app or Azure Functions.

Task 7 : Test drive App Service on Azure Stack

After you deploy and register the App Service resource provider, test it to make sure that tenants can deploy web, mobile, and API apps.


You need to create an offer that has the Microsoft.Web namespace within the plan. Then you need to have a tenant subscription that subscribes to this offer. For more information, see Create offer and Create plan.

You must have a tenant subscription to​​ create applications that use App Service on Azure Stack. The only capabilities that a service admin can complete within the admin portal are related to the resource provider administration of App Service. These capabilities include adding capacity, configuring deployment sources, and adding Worker tiers and SKUs.

As of the third technical preview, to create web, mobile, and API apps you must use the tenant portal and have a tenant subscription.

  • In the Azure Stack tenant portal, click New > Web + Mobile > Web App.
  • On the Web App blade, type a name in the Web app box.
  • Under Resource Group, click New. Then type a name in the Resource Group box.
  • Click App Service plan/Location > Create New.
  • On the App Service plan blade, type a name in the App Service plan box.
  • Click Pricing tier > Free-Shared or Shared-Shared > Select > OK > Create.
  • In under a minute, a tile for the new web app appears on the dashboard. Click the tile.
  • On the Web App blade, click Browse to view the default website for this app.