ARM Template Web App Authentication Settings not working

I got my answer after working with the fine people at Azure Support.

Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.

This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.

The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.

Updated ARM Template (removed other settings for brevity)

{
    "name": "[variables('app-service-name')]",
    "type": "Microsoft.Web/sites",
    "location": "[parameters('app-location')]",
    "apiVersion": "2016-08-01",
    "dependsOn": [
        "[variables('app-plan-name')]"
    ],
    "properties": {
        //... other app service settings
        "siteAuthSettings": {
            "enabled": true,
            "unauthenticatedClientAction": "RedirectToLoginPage",
            "tokenStoreEnabled": true,
            "defaultProvider": "AzureActiveDirectory",
            "clientId": "[parameters('web-aad-client-id')]",
            "issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
            "allowedAudiences": [
                "[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
            ]
        }
    }
}

As suggested by @Michael, the siteAuthSettings object must be added to the siteConfig object, not just under the root properties object.

{
    "apiVersion": "2019-08-01",
    "name": "[variables('webAppName')]",
    "type": "Microsoft.Web/sites",
    "kind": "app",
    "location": "[resourceGroup().location]",
    "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
    ],
    "properties": {
        ...
        "siteConfig": {
            "siteAuthSettings": {
                "enabled": true,
                "unauthenticatedClientAction": "RedirectToLoginPage",
                "tokenStoreEnabled": true,
                "defaultProvider": "AzureActiveDirectory",
                "clientId": "[parameters('clientId')]",
                "issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
            }
        }
    }
}