Microsoft AzureOverview
Enabling App Service Authentication is not enough if unauthenticated requests are still allowed through to application code. That mode is valid for intentionally public endpoints, but it should not be the default for sensitive functions.
Require authentication or return an explicit 401/403 response for functions that are not designed to be public.
Remediation guidance
Remediation
Configure App Service Authentication so unauthenticated requests are rejected or redirected to your approved identity provider.
Azure CLI
Return HTTP 401 for unauthenticated API callers:
az webapp auth update \
--resource-group {{asset.azureResourceGroup}} \
--name {{asset.name}} \
--enabled true \
--unauthenticated-client-action Return401
For browser-facing applications, use RedirectToLoginPage where appropriate after the provider is configured.
Validate the global validation setting:
az webapp auth show \
--resource-group {{asset.azureResourceGroup}} \
--name {{asset.name}} \
--query '{enabled:platform.enabled,unauthenticatedClientAction:globalValidation.unauthenticatedClientAction}'
References
- https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
- https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts
Query logic
These are the stored checks tied to this control.
Azure Function Apps allowing anonymous App Service Authentication requests
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
authSettings_SOME: {
enabled: { eq: true }
OR: [
{ unauthenticatedClientAction: { eq: "AllowAnonymous" } }
{ unauthenticatedClientAction: { eq: "" } }
{ unauthenticatedClientAction: { eq: null } }
]
}
}
) {
...AssetFragment
}
}
