Ensure App Service Authentication is set up for apps in Azure App Service - Webapp

App Service Authentication is a built-in authentication and authorization capability, providing a simple authentication setup method, which can be integrated with multiple login providers (Azure AD, Facebook, Google, Twitter).

Suggest Edits

Risk Level: High
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.IAM.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

WebApp should have isAuthenticateOn=true

REMEDIATION

From Portal

  1. Go to 'App Services' and choose your App Service.
  2. Under 'Settings, select 'Authentication' on the navigation menu.
  3. If you are using the 'classic Authenticaiton experience':
    3.1 Set 'App Service Authentication' to 'Enabled'.
    3.2 Save.
  4. Else:
    4.1 Press 'Add identity provider'.
  5. Configure new identity provider.

Note: By default, App Service Authentication feature is disabled when a new web application is created using the Azure Command Line Interface (CLI) or Azure Management Console.

From TF
Set the 'enabled' argument under 'auth_settings' to 'true':

resource "azurerm_app_service" "web_app" {
	..
	auth_settings {
		..
		enabled = true
		..
	}
	..
}

From Command Line
Run

az webapp auth update --resource-group RESOURCEGROUPNAME --name APPLICATIONSERVICENAME --enabled true

Note: Additional identity provider configurations are needed when using TF / command line remediation, see documentation.

References

  1. https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
  2. https://docs.microsoft.com/en-us/cli/azure/webapp/auth?view=azure-cli-latest#az_webapp_auth_update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset

Updated 10 months ago