Ensure that App Service Authentication feature is enabled for Microsoft Azure App Service to add an extra layer of security to the authentication process implemented by your web applications.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By default, App Service Authentication feature is disabled when a new web application is created using the Azure Command Line Interface (CLI) or Azure Management Console. Therefore, all new applications have anonymous access enabled and this allows users to log in without being prompted for login. By enabling Azure App Service Authentication, every incoming HTTP request passes through it before being handled by the web application code. The feature also handles authentication of users with a specific provider such as Microsoft Entra ID, Google, Facebook, Twitter and Microsoft Account, validation, storing and refreshing of access tokens, managing the authenticated sessions, and injecting identity information into request headers.
Audit
To determine if Microsoft Azure App Service Authentication is enabled, perform the following actions:
Remediation / Resolution
To enable and configure Microsoft Azure App Service Authentication for your existing web apps, perform the following actions:
References
- Azure Official Documentation
- App Service
- Authentication and authorization in Azure App Service and Azure Functions
- Configure your App Service or Azure Functions app to use Microsoft Entra ID login
- Configure your App Service or Azure Functions app to use Facebook login
- Configure your App Service or Azure Functions app to use Google login
- Configure your App Service or Azure Functions app to use Microsoft Account login
- Configure your App Service or Azure Functions app to use Twitter login
- CIS Microsoft Azure Foundations
- Azure PowerShell Documentation
- az webapp
- az webapp list
- az webapp auth
- az webapp auth show
- az webapp auth update