Azure · seligj95 · Jan 12, 2026 · Jan 12, 2026 · Jan 13, 2026 · Jan 13, 2026
@@ -1907,6 +1907,9 @@
   - name: Create a container webapp with an image pulled from a private Azure Container Registry using a User Assigned Managed Identity
     text: >
         az webapp create -g MyResourceGroup -p MyPlan -n MyUniqueAppName --container-image-name myregistry.azurecr.io/docker-image:tag --assign-identity MyAssignIdentities --acr-use-identity --acr-identity MyUserAssignedIdentityResourceId
+  - name: Create a web app with end-to-end encryption enabled and minimum TLS version 1.2
+    text: >
+        az webapp create -g MyResourceGroup -p MyPlan -n MyUniqueAppName --end-to-end-encryption-enabled true --min-tls-version 1.2
 """
 
 helps['webapp create-remote-connection'] = """

@@ -328,6 +328,13 @@ def load_arguments(self, _):
                                         'Use \'[system]\' to refer system assigned identity, or a resource id to refer user assigned identity.')
         c.argument('basic_auth', help='Enable or disable basic auth for both SCM and FTP Basic Auth Publishing Credentials. Defaults to Enabled if not specified. See https://aka.ms/app-service-basic-auth to learn more.', arg_type=get_enum_type(BASIC_AUTH_TYPES))
         c.argument('auto_generated_domain_name_label_scope', options_list=['--domain-name-scope'], help="Specify the scope of uniqueness for the default hostname during resource creation.", arg_type=get_enum_type(AutoGeneratedDomainNameLabelScope))
+        c.argument('end_to_end_encryption_enabled', options_list=['--end-to-end-encryption-enabled', '-e'],
+                   help='Enable or disable end-to-end encryption between the Front End and the Workers.',
+                   arg_type=get_three_state_flag(return_label=True))
+        c.argument('min_tls_version',
+                   help="The minimum version of TLS required for SSL requests, e.g., '1.0', '1.1', '1.2'")
+        c.argument('min_tls_cipher_suite', options_list=['--min-tls-cipher-suite'],
+                   help="The minimum TLS Cipher Suite required for requests, e.g., 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'")
         c.ignore('language')
         c.ignore('using_webapp_up')
 
@@ -444,6 +451,9 @@ def load_arguments(self, _):
         c.argument('minimum_elastic_instance_count', options_list=["--minimum-elastic-instance-count", "-i"], type=int, is_preview=True, help="Minimum number of instances. App must be in an elastic scale App Service Plan.")
         c.argument('prewarmed_instance_count', options_list=["--prewarmed-instance-count", "-w"], type=int, is_preview=True, help="Number of preWarmed instances. App must be in an elastic scale App Service Plan.")
         c.argument('basic_auth', help='Enable or disable basic auth.', arg_type=get_enum_type(BASIC_AUTH_TYPES))
+        c.argument('end_to_end_encryption_enabled', options_list=['--end-to-end-encryption-enabled', '-e'],
+                   help='Enable or disable end-to-end encryption between the Front End and the Workers.',
+                   arg_type=get_three_state_flag(return_label=True))
 
     with self.argument_context('webapp browse') as c:
         c.argument('logs', options_list=['--logs', '-l'], action='store_true',

@@ -126,7 +126,8 @@ def create_webapp(cmd, resource_group_name, name, plan, runtime=None, startup_fi
                   using_webapp_up=False, language=None, assign_identities=None,
                   role='Contributor', scope=None, vnet=None, subnet=None, https_only=False,
                   public_network_access=None, acr_use_identity=False, acr_identity=None, basic_auth="",
-                  auto_generated_domain_name_label_scope=None):
+                  auto_generated_domain_name_label_scope=None, end_to_end_encryption_enabled=None,
+                  min_tls_version=None, min_tls_cipher_suite=None):
     from azure.mgmt.web.models import Site
     from azure.core.exceptions import ResourceNotFoundError as _ResourceNotFoundError
     SiteConfig, SkuDescription, NameValuePair = cmd.get_models(
@@ -238,10 +239,17 @@ def create_webapp(cmd, resource_group_name, name, plan, runtime=None, startup_fi
     if acr_use_identity:
         site_config.acr_use_managed_identity_creds = acr_use_identity
 
+    if min_tls_version:
+        site_config.min_tls_version = min_tls_version
+
+    if min_tls_cipher_suite:
+        site_config.min_tls_cipher_suite = min_tls_cipher_suite
+
     webapp_def = Site(location=location, site_config=site_config, server_farm_id=plan_info.id, tags=tags,
                       https_only=https_only, virtual_network_subnet_id=subnet_resource_id,
                       public_network_access=public_network_access, vnet_route_all_enabled=vnet_route_all_enabled,
-                      auto_generated_domain_name_label_scope=auto_generated_domain_name_label_scope)
+                      auto_generated_domain_name_label_scope=auto_generated_domain_name_label_scope,
+                      end_to_end_encryption_enabled=end_to_end_encryption_enabled)
     if runtime:
         runtime = _StackRuntimeHelper.remove_delimiters(runtime)
 
@@ -2109,7 +2117,7 @@ def set_webapp(cmd, resource_group_name, name, slot=None, skip_dns_registration=
 
 
 def update_webapp(cmd, instance, client_affinity_enabled=None, https_only=None, minimum_elastic_instance_count=None,
-                  prewarmed_instance_count=None):
+                  prewarmed_instance_count=None, end_to_end_encryption_enabled=None):
     if 'function' in instance.kind:
         raise ValidationError("please use 'az functionapp update' to update this function app")
     if minimum_elastic_instance_count or prewarmed_instance_count:
@@ -2133,6 +2141,8 @@ def update_webapp(cmd, instance, client_affinity_enabled=None, https_only=None,
         instance.client_affinity_enabled = client_affinity_enabled == 'true'
     if https_only is not None:
         instance.https_only = https_only == 'true'
+    if end_to_end_encryption_enabled is not None:
+        instance.end_to_end_encryption_enabled = end_to_end_encryption_enabled == 'true'
 
     if minimum_elastic_instance_count is not None:
         from azure.mgmt.web.models import SiteConfig
@@ -3133,7 +3143,7 @@ def update_site_configs(cmd, resource_group_name, name, slot=None, number_of_wor
     for arg in args[3:]:
         if arg in int_flags and values[arg] is not None:
             values[arg] = validate_and_convert_to_int(arg, values[arg])
-        if arg != 'generic_configurations' and values.get(arg, None):
+        if arg not in ['generic_configurations'] and values.get(arg, None):
             setattr(configs, arg, values[arg] if arg not in bool_flags else values[arg] == 'true')
 
     generic_configurations = generic_configurations or []