Control: 9.1 Ensure App Service Authentication is set on Azure App Service
Description
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
By enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider(Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.
Remediation
From Console
- Login to Azure Portal and go to
App Services
. - Click on each App.
- Under
Settings
section, click onAuthentication(classic)
. - Set
App Service Authentication
toOn
. - Choose other parameters as per your requirement and click on
Save
.
From Command Line
To set App Service Authentication for an existing app, run the following command:
az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true
Note
- In order to access
App Service Authentication
settings for Web app using Microsoft API requiresWebsite Contributor
permission at subscription level. A custom role can be created in place of website contributor to provide more specific permission and maintain the principle of least privileged access. - By default, App Service Authentication is disabled.
- If you need more flexibility than App Service provides, you can also write your own utilities. Secure authentication and authorization require deep understanding of security, including federation, encryption, JSON web tokens (JWT) management, grant types, and so on.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_9_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_9_1 --share
SQL
This control uses a named query:
appservice_authentication_enabled