Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable App Service Authentication

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-010

Ensure that App Service Authentication feature is enabled for Microsoft Azure App Service to add an extra layer of security to the authentication process implemented by your web applications.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By default, App Service Authentication feature is disabled when a new web application is created using the Azure Command Line Interface (CLI) or Azure Management Console. Therefore, all new applications have anonymous access enabled and this allows users to log in without being prompted for login. By enabling Azure App Service Authentication, every incoming HTTP request passes through it before being handled by the web application code. The feature also handles authentication of users with a specific provider such as Microsoft Entra ID, Google, Facebook, Twitter and Microsoft Account, validation, storing and refreshing of access tokens, managing the authenticated sessions, and injecting identity information into request headers.


Audit

To determine if Microsoft Azure App Service Authentication is enabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name (link) of the web application that you want to examine.

04 In the navigation panel, under Settings, select Authentication / Authorization to access the authentication configuration settings available for the selected application.

05 On the Authentication / Authorization panel, check the App Service Authentication configuration setting. If the setting status is Off, the Microsoft Azure App Service Authentication feature is not enabled for the selected web application.

06 Repeat steps no. 3 – 5 for each Azure App Service application deployed in the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested application identifiers (IDs):

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp auth show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the App Service Authentication feature status for the selected web application:

az webapp auth show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp"
	--query 'enabled'

04 The command output should return the App Service Authentication configuration status (true for enabled, false for disabled):

false

If the webapp auth show command output returns false, as shown in the example above, the Microsoft Azure App Service Authentication feature is not enabled for the selected web application.

05 Repeat step no. 3 and 4 for each Azure App Service application available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure Microsoft Azure App Service Authentication for your existing web apps, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right web app).

04 In the navigation panel, under Settings, select Authentication / Authorization to access the authentication configuration settings available for the selected application.

05 On the Authentication / Authorization panel, perform the following actions:

  1. Select On under App Service Authentication configuration setting to enable the feature.
  2. From Action to take when request is not authenticated dropdown list choose one of the following:
    • Select Allow Anonymous requests (no action) if you want more flexibility in handling anonymous requests as it lets you present multiple sign-in providers to your app users. This option defers authorization of unauthenticated user traffic to your web application code. To use this option, you have to write code.
    • Select Log in with <provider-name> to allow only authenticated requests. Microsoft Azure App Service redirects all anonymous requests to /.auth/login/<provider> for the provider that you choose. If the anonymous request comes from a native mobile application, the returned response is an HTTP 401 Unauthorized. To use this option, you don't have to write any authentication code for your web application.
  3. If you choose to authenticate requests with an authentication provider, select the suitable provider from the Authentication Providers list and configure it by following the Microsoft Azure documentation for the selected provider. Azure App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow. The identity providers available by default are: Microsoft Entra ID, Microsoft Account, Google, Facebook and Twitter. Once you enable authentication and authorization with one of these providers, its sign-in endpoint is available for user authentication and for validation of authentication tokens from the specified provider.
  4. Under Advanced Settings, select On next to Token Store to store the authentication tokens. Azure App Service Token Store is a repository of tokens that are associated with the users of your web applications, APIs, or native mobile apps. When you enable authentication with any of the providers listed at the previous step, the Token Store is immediately available to your application.
  5. If required, paste the application redirect URL(s) in the Allowed External Redirect URLs box.
  6. Click Save to apply the configuration changes.

06 Repeat steps no. 3 – 5 for each Azure App Service application that you want to reconfigure for secure authentication and authorization, available in the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp auth update command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service web app that you want to reconfigure as identifier parameter (see Audit section part II to identify the right web app) to enable App Service Authentication feature for the selected web application. For example, the following command request enables App Service Authentication feature for a web application identified by the ID "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp", with authentication token storage enabled, using Google as authentication provider:

az webapp auth update
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp"
	--enabled true
	--action LoginWithGoogle
	--google-client-id "123456789012-abcd1234abcd1234abcd1234abcd1234.apps.googleusercontent.com"
	--google-client-secret "abcdabcdabcdabcdabcdabcd"
	--token-store true

02 The command output should return the metadata for reconfigured Azure App Service web application:

{
  "additionalLoginParams": null,
  "allowedAudiences": null,
  "allowedExternalRedirectUrls": null,
  "clientId": null,
  "clientSecret": null,
  "clientSecretCertificateThumbprint": null,
  "defaultProvider": "Google",
  "enabled": true,
  "facebookAppId": null,
  "facebookAppSecret": null,
  "facebookOauthScopes": null,
  "googleClientId": "123456789012-abcd1234abcd1234abcd1234abcd1234.apps.googleusercontent.com",
  "googleClientSecret": "abcdabcdabcdabcdabcdabcd",
  "googleOauthScopes": null,
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project5-webapp/config/authsettings",
  "issuer": null,
  "kind": null,
  "location": "West Europe",
  "microsoftAccountClientId": null,
  "microsoftAccountClientSecret": null,
  "microsoftAccountOauthScopes": null,
  "name": "authsettings",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "runtimeVersion": "1.0.0",
  "tags": {},
  "tokenRefreshExtensionHours": null,
  "tokenStoreEnabled": true,
  "twitterConsumerKey": null,
  "twitterConsumerSecret": null,
  "type": "Microsoft.Web/sites/config",
  "unauthenticatedClientAction": "RedirectToLoginPage",
  "validateIssuer": null
}

03 Repeat step no. 1 and 2 for each Azure App Service application that you want to reconfigure for secure authentication and authorization, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 2, 2019