iCompaas Support

Profile Applicability:

• Level 1

Description:

This check ensures that the web app hosted in Azure App Service is configured to register with Azure Active Directory (Azure AD). Enabling this feature allows the web app to authenticate users via Azure AD, providing centralized identity management and secure access to resources.

Rationale:

Registering the app with Azure AD provides a seamless authentication experience for users while ensuring that access is managed according to your organization's identity and access policies. It also helps integrate the app into your organization's broader security ecosystem, leveraging Azure AD's multi-factor authentication (MFA), conditional access policies, and identity protection capabilities.

Impact:

Pros:

• Centralizes identity management and integrates the app with Azure AD's security policies.
  

• Provides secure access control and enhances security by using Azure AD for authentication.
  

• Meets compliance requirements by leveraging enterprise-grade identity and access management solutions.
  

• Simplifies the management of user roles and permissions within the app.
  

Cons:

• Requires proper configuration of Azure AD and user permissions.
  

• May impact non-Azure AD users or third-party applications that do not support Azure AD authentication.
  

• Configuration complexity if integrating with other authentication mechanisms.
  

Default Value:

By default, the "Register with Azure Active Directory" option is not enabled in Azure App Service. It must be manually configured to allow integration with Azure AD.

Pre-requisites:

Ensure that an Azure Active Directory tenant is set up and that appropriate permissions are granted to the app to register with Azure AD.

Test Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the App Services blade.
   

3. Select the app you want to review.
   

4. Under the Settings section, click on Authentication.
   

5. Ensure that Azure Active Directory is listed under the authentication providers.
   

6. If Azure AD is not listed, click Add identity provider and select Azure Active Directory to enable registration.
   

Using Azure CLI:

To check if the app is registered with Azure AD, run the following command:

az webapp auth show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query "identity"

1. The output should indicate that Azure Active Directory authentication is enabled and configured.
   

Implementation Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Select the app for which you want to enable Azure AD authentication.
   

4. Under the Settings section, click on Authentication.
   

5. Click Add identity provider, and select Azure Active Directory.
   

6. Choose either Express or Custom depending on your configuration needs.
   

7. Click Save to apply the changes.
   

Using Azure CLI:

To register the app with Azure AD, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true --auth-provider AAD

Backout Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Select the app for which you want to disable Azure AD registration.
   

4. Under the Settings section, click on Authentication.
   

5. Set the Authentication option to Off or remove Azure AD as an identity provider.
   

6. Click Save to apply the changes.
   

Using Azure CLI:

To disable Azure AD registration for the app, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled false

References:

• Azure App Service: Authentication with Azure Active Directory
• Microsoft Security Benchmark: Identity and Access Management