Microsoft AzureOverview
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
Rationale
By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.
Impact
This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.
Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.
Remediation guidance
Remediate from Azure Portal
- Open the web app using the
Open in Azurebutton. - Under
Settingsection, click onAuthentication - If no identity providers are set up, then click
Add identity provider - Choose other parameters as per your requirements and click on
Add
To disable the Basic Auth Publishing Credentials setting, perform the following steps:
- Login to Azure Portal using https://portal.azure.com
- Go to
App Services - Click on each App
- Under
Settings, click onConfiguration - Click on the 'General Settings' tab
- Under
Platform settings, ensureBasic Auth Publishing Credentialsis set toOff
Remediate from Azure CLI
To set App Service Authentication for an existing app, run the following command:
az webapp auth update --resource-group --name --enabled true
Note
In order to access App Service authentication settings for Web app using Microsoft API requires Website contributor permission at subscription level. A custom role can be created in place of Website contributor to provide more specific permission and maintain the principle of least privileged access.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure App Services without authentication
Connectors
Covered asset types
Expected check: eq []
{
sites(where: { authSettings: { enabled: true } }) {
...AssetFragment
}
}
