diff --git a/infrastructure/modules/container-app/README.md b/infrastructure/modules/container-app/README.md
index ab9db346..5df1d479 100644
--- a/infrastructure/modules/container-app/README.md
+++ b/infrastructure/modules/container-app/README.md
@@ -106,6 +106,21 @@ module "container-app" {
 }
 ```
 
+### Excluding paths from authentication
+
+You can exclude specific paths from authentication using the `auth_excluded_paths` variable. These paths will respond without requiring authentication, which is useful for health checks or version endpoints.
+
+Example:
+```hcl
+module "container-app" {
+  ...
+  enable_entra_id_authentication = true
+  auth_excluded_paths            = ["/healthcheck", "/sha"]
+}
+```
+
+By default, no paths are excluded (`auth_excluded_paths = []`).
+
 ## Alerts
 
 To enable container app alerting:
diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf
index c725dda6..3325b0b6 100644
--- a/infrastructure/modules/container-app/main.tf
+++ b/infrastructure/modules/container-app/main.tf
@@ -192,6 +192,7 @@ resource "azapi_resource" "auth" {
       }
       globalValidation = {
         unauthenticatedClientAction = var.unauthenticated_action
+        excludedPaths               = var.auth_excluded_paths
       }
       identityProviders = {
         azureActiveDirectory = {
diff --git a/infrastructure/modules/container-app/tfdocs.md b/infrastructure/modules/container-app/tfdocs.md
index 57d4e446..a98f419e 100644
--- a/infrastructure/modules/container-app/tfdocs.md
+++ b/infrastructure/modules/container-app/tfdocs.md
@@ -88,6 +88,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_auth_excluded_paths"></a> [auth\_excluded\_paths](#input\_auth\_excluded\_paths)
+
+Description: List of paths to exclude from authentication (e.g., ["/healthcheck", "/sha"]). These paths will respond without requiring authentication.
+
+Type: `list(string)`
+
+Default: `[]`
+
 ### <a name="input_enable_alerting"></a> [enable\_alerting](#input\_enable\_alerting)
 
 Description: Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server.
diff --git a/infrastructure/modules/container-app/variables.tf b/infrastructure/modules/container-app/variables.tf
index 26c4c68c..baee9420 100644
--- a/infrastructure/modules/container-app/variables.tf
+++ b/infrastructure/modules/container-app/variables.tf
@@ -128,6 +128,12 @@ variable "unauthenticated_action" {
   }
 }
 
+variable "auth_excluded_paths" {
+  description = "List of paths to exclude from authentication (e.g., [\"/healthcheck\", \"/sha\"]). These paths will respond without requiring authentication."
+  type        = list(string)
+  default     = []
+}
+
 # Always fetch the AAD client secret from Key Vault
 variable "infra_key_vault_name" {
   description = "Name of Key Vault to retrieve the AAD client secrets"