Control: 9.2 Ensure App Service Authentication is set up for apps in Azure App Service
Description
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.
Remediation
From Azure Portal
- Login to Azure Portal using https://portal.azure.com.
- Go to
App Services
. - Click on each App.
- Under
Setting
section, click onAuthentication
. - If no identity providers are set up, then click
Add identity provider
. - Choose other parameters as per your requirements and click on
Add
.
To disable the Basic Auth Publishing Credentials
setting, perform the following steps:
- Login to Azure Portal using https://portal.azure.com.
- Go to
App Services
. - Click on each App.
- Under
Settings
, click onConfiguration
. - Click on the 'General Settings' tab.
- Under
Platform settings
, ensureBasic Auth Publishing Credentials
is set toOff
.
From Azure CLI
To set App Service Authentication for an existing app, run the following command:
az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true
Note: In order to access App Service authentication
settings for Web app using Microsoft API requires Website contributor
permission at subscription level. A custom role can be created in place of Website contributor
to provide more specific permission and maintain the principle of least privileged access.
Default Value
By default, App Service Authentication is disabled when a new app is created using the command-line tool or Azure Portal console.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_9_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_9_2 --share
SQL
This control uses a named query:
appservice_authentication_enabled