Azure App Service Web app authentication is Off

ID

app_service_authentication

Severity

low

Vendor

Azure

Resource

App Service

Tags

reachable

Description

Azure App Service Web app authentication should be enabled.

The Azure authentication and authorization middleware component, App Service, is a feature of the platform that runs on the same VM as your application. App Service uses federated identity, in which a third-party identity provider stores accounts and authenticates users. The application relies on the provider’s identity information so that the app doesn’t have to store that information itself. It supports five identity providers out of the box: Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter.

When it’s enabled, every incoming HTTP request passes through it before being handled by your application. The middleware also handles several other things for your app:

  • Authenticates users and clients with the specified identity provider(s).

  • Validates, stores, and refreshes OAuth tokens issued by the configured identity provider(s).

  • Manages the authenticated session.

  • Injects identity information into HTTP request headers.

See Authentication and authorization in Azure App Service.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "type": "Microsoft.Web/sites",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "name": "bad", (1)
    "kind": "app",
    "resources": [{
      "type": "config",
      "apiVersion": "2021-04-01",
      "name": "authsettings",
      "properties": {
        "enabled": false
      }
    }]
  }]
}
1 App Service is disabled for the Web application.

Terraform

resource "azurerm_app_service" "example" {
  # ... Flaw also when no auth_settings block is provided
  auth_settings {
    enabled = false
    # ...
  }

}

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "type": "Microsoft.Web/sites",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "name": "good", (1)
    "kind": "app",
    "resources": [{
      "type": "config",
      "apiVersion": "2021-04-01",
      "name": "authsettings",
      "properties": {
        "enabled": true
      }
    }]
  }]
}
1 App Service is enabled for the Web application.

Terraform

resource "azurerm_app_service" "example" {
  # ...
  auth_settings {
    enabled = true
    # ...
  }

}

Runtime

CLI Command

For an existing app, the App Service Authentication can bet set using the following command:

$ az webapp auth update
--resource-group <RESOURCE_GROUP_NAME>
--name <APP_NAME>
--enabled true

See az webapp auth CLI command.