Risk Level: High
Cloud Entity: Azure functions
CloudGuard Rule ID: D9.AZU.IAM.14
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

FunctionApp should have isAuthenticateOn=true

REMEDIATION

From Portal

Go to 'Function Apps' from Azure Management console and choose your function App.
Under 'Settings, select 'Authentication' on the navigation menu.
If you are using the 'classic Authenticaiton experience':
3.1 Set 'App Service Authentication' to 'Enabled'.
3.2 Save.
Else:
4.1 Press 'Add identity provider'.
Configure new identity provider.

Note: By default, App Service Authentication feature is disabled when a new Function app is created using the Azure Command Line Interface (CLI) or Azure Management Console.

From TF
Set the 'enabled' argument under 'auth_settings' to 'true':

resource 'azurerm_function_app' 'example' {
	..
	auth_settings {
		..
		enabled = true
		..
	}
	..
}

Note: additional identity provider configurations are needed when using TF / command line remediation, see documentation.

From Command Line
Run

az webapp auth update --resource-group RESOURCEGROUPNAME --name FUNCTIONAPPNAME --enabled true

Note: There is no auth command available specific to Function apps (this is a known issue),however app services auth command works fine with the function app.

References

Azure functions

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure ITSG-33
Azure NIST 800-53 Rev 5
Azure Security Risk Management
CloudGuard Azure All Rules Ruleset