Description:

App Service Authentication (also called “App Service Authentication/Authorization”) ensures that only authenticated and authorized users or applications can access the Web App. Enabling authentication helps protect the app from unauthorized access and enforces identity-based security.

Rationale:

Enabling App Service Authentication ensures that all requests to the Web App require identity verification. It prevents unauthorized access, supports integration with identity providers (Azure AD, Microsoft, Google, GitHub, Facebook), and enforces secure access control without adding custom code.

Impact:

If App Service Authentication is not enabled, anonymous users may access the application, which can expose sensitive data or functionality. This increases the risk of unauthorized access, data leaks, compliance failures, and malicious activity.

Default Value:

By default, App Service Authentication in Azure App Service is Off and must be manually enabled and configured.

Pre-requisites:

• Permissions: Owner, Contributor, or Web App Contributor

• A suitable identity provider (e.g., Microsoft Entra ID)

• Knowledge of the app’s authentication requirements
  

Test Plan:

1. Log in to the Azure Portal at https://portal.azure.com.

2. In the portal, search for App Services and select the target Web App.

3. In the left menu, under Settings, click Authentication.

4. Check the Identity Providers configuration.

5. Verify that App Service Authentication is enabled in the Authentication Settings.

6. Confirm that at least one identity provider (e.g., Microsoft Entra ID) is configured.

7.  If not enabled, follow the implementation Steps.

Implementation Steps:

1. Log in to the Azure Portal at https://portal.azure.com.

2. In the portal, search for App Services and select the target Web App.

3. On the left-hand menu, under settings, click Authentication.

4. Click Add identity provider.

5. Select the provider (most secure option: Microsoft Entra ID).

6. Choose Create New App Registration or select an existing one.

7. Keep the default settings unless your app needs special configuration.

8. Click Add to complete the setup.

9. Save your changes and refresh the page to confirm.

10. If we already have  Identity Providers, we can see the edit option beside the Authentication settings in that section, and enable the app service authentication.

         
     12. Save your changes and refresh the page to confirm.

Backout Plan:

1. Log in to the Azure portal at https://portal.azure.com.

2. In the portal, search for App Services and select your Web App.

3. Under Settings, go to Authentication.

4. In the Identity Providers section, delete the configured identity provider(s).

5. Click Remove App Authentication.

6. Click Save to apply the changes.

References:

• https://learn.microsoft.com/azure/app-service/configure-authentication-provider-aad
• Authentication Overview for App Service
• https://learn.microsoft.com/azure/app-service/overview-authentication-authorization
• https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app