Azure App Service Web App Authentication Is Off

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure App Service Web app authentication is off.
JSON Query:
$.resource.*.azurerm_app_service[*].*[*].auth_settings[*].enabled anyFalse or $.resource.*.azurerm_app_service[*].*[*].auth_settings anyNull
Recommendation:
Recommended solution for making sure App Service Web app authentication is not off.
It is recommended to have App Service Web app authentication on. Please make sure your template has the "auth_settings" enabled.
For example:
"azurerm_app_service": [ { "<app_service_name>": [ { "app_service_plan_id": "${azurerm_app_service_plan.example.id}", "auth_settings": [ { "enabled": true } ], "location": "${azurerm_resource_group.example.location}", "name": "example-app-service", "resource_group_name": "${azurerm_resource_group.example.name}" } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Navigate to App Services.
  3. Click on the reported App.
  4. Under Setting section, Click on 'Authentication / Authorization'.
  5. Set 'App Service Authentication' to 'On'.
  6. Choose other parameters as per your requirement and Click on 'Save'.
Remediation CLI Command:
az webapp auth update --resource-group ${resourceGroup} --name ${resourceName} --enabled true
CLI Command Description:
This CLI command requires 'Microsoft.Web/sites/{app_name}/config/authsettings/*' permission. Successful execution will enable app service authentication, that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app.

Compliance

There are 3 standards that are applicable to this policy:
  • PIPEDA
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You