Detections
Analytics

9.2 Ensure App Service Authentication is set up for apps in Azure App Service

Information

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

Rationale:

By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.

Impact:

This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.

Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.

Solution

Remediate from Azure Portal

Login to Azure Portal using https://portal.azure.com

Go to App Services

Click on each App

Under Setting section, click on Authentication

If no identity providers are set up, then click Add identity provider

Choose other parameters as per your requirements and click on Add

To disable the Basic Auth Publishing Credentials setting, perform the following steps:

Login to Azure Portal using https://portal.azure.com

Go to App Services

Click on each App

Under Settings, click on Configuration

Click on the 'General Settings' tab

Under Platform settings, ensure Basic Auth Publishing Credentials is set to Off

Remediate from Azure CLI
To set App Service Authentication for an existing app, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true

Note
In order to access App Service authentication settings for Web app using Microsoft API requires Website contributor permission at subscription level. A custom role can be created in place of Website contributor to provide more specific permission and maintain the principle of least privileged access.

Default Value:

By default, App Service Authentication is disabled when a new app is created using the command-line tool or Azure Portal console.

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: microsoft_azure

Control ID: bcf78eb49e53b4e061bd5ac2e31990e140354d49b886db36e9e7dea196801f51