Profile Applicability:

  • Level 2

Description:

Azure App Service Authentication prevents unauthorized access to web applications by enforcing authentication before access is granted. This check ensures that App Service Authentication is enabled for apps running in Azure App Service, securing the applications by ensuring that incoming HTTP requests are authenticated before being processed.

Rationale:

Enabling App Service Authentication provides a mechanism to protect web applications from unauthorized access. It ensures that all HTTP requests pass through an authentication system, which can be configured to use various identity providers such as Azure Active Directory, Facebook, Google, and others. It is critical for securing sensitive applications and meeting compliance requirements for access control.

Impact:

Pros:

  • Adds an extra layer of security by ensuring only authenticated users can access the app.

  • Reduces the risk of unauthorized access and potential data breaches.

  • Simplifies identity management and integrates easily with various identity providers.

Cons:

  • May require additional configuration of identity providers and integration with third-party services.

  • Could impact non-authenticated users or applications if not properly configured.

Default Value:

By default, App Service Authentication is disabled for newly created Azure Web Apps. It must be manually configured to enable authentication.

Pre-requisites:

  • Ensure that at least one identity provider (Azure Active Directory, Facebook, Google, etc.) is set up.

  • Ensure that appropriate permissions are assigned to the app for using the selected authentication method.

Test Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to the App Services blade.

  3. Click on the app you want to review.

  4. Under the Settings section, click on Authentication.

  5. Ensure that App Service Authentication is set to On.

  6. Verify that an identity provider (such as Azure Active Directory, Facebook, etc.) is configured and active.

Using Azure CLI:

To check the App Service Authentication status for an existing app, run the following command:

az webapp auth show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query enabled

  1. The output should return true if App Service Authentication is enabled.

Implementation Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to App Services.

  3. Select the app for which you want to enable authentication.

  4. Under the Settings section, click on Authentication.

  5. Click on Add identity provider and select the provider (e.g., Azure Active Directory, Facebook, Google).

  6. Configure the provider as per your requirements and click Add.

  7. Ensure App Service Authentication is set to On.

Using Azure CLI:

To enable authentication for the app, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true

If you want to configure an identity provider, use the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --provider <IDENTITY_PROVIDER_NAME> --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET>

Backout Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to App Services.

  3. Click on the app for which you want to disable authentication.

  4. Under the Settings section, click on Authentication.

  5. Set App Service Authentication to Off.

  6. Save the changes.

Using Azure CLI:

To disable App Service Authentication, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled false

References: