Azure App Service should have authentication enabled

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Azure App Service Authentication is a powerful feature that prevents anonymous HTTP requests from reaching your app and allows authentication before reaching app APIs. It offers customizable options for identity providers or custom authentication mechanisms. Enabling this feature ensures that all incoming HTTP requests go through the authentication process, handling user authentication, token validation, storage, and session management. Note that it should only be enabled for app services that require authentication, as it increases costs and requires additional security components.

Remediation

From the console

  1. Login to Azure Portal.
  2. Go to App Services
  3. Click on each App
  4. Under Setting section, click on Authentication / Authorization
  5. Set App Service Authentication to On
  6. Choose other parameters as per your requirement and click Save

Note: An IDP needs to be setup for the settings in step 4 to show in the console.

From the command line

To set App Service Authentication for an existing app, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true

References

  1. Authentication and authorization in Azure App Service and Azure Functions
  2. Built in Roles: Website Contributor
  3. PA-5: Automate entitlement management
  4. GS-6: Define identity and privileged access strategy

Additional Information: You’re not required to use App Service for authentication and authorization. Many web frameworks are bundled with security features, and you can use them instead. If you need more flexibility than App Service provides, you can also write your own utilities. Secure authentication and authorization require deep understanding of security, including federation, encryption, JSON web tokens (JWT) management, grant types, etc.

PREVIEWING: mervebolat/span-id-preprocessing