Azure function app authentication is off
ID |
azure_function_app_authentication |
Severity |
low |
Vendor |
Azure |
Resource |
App Service |
Tags |
reachable |
Description
Azure Function app authentication should be enabled.
The Azure authentication and authorization middleware component, App Service, is a feature of the platform that runs on the same VM as your application. App Service uses federated identity, in which a third-party identity provider stores accounts and authenticates users. The application relies on the provider’s identity information so that the app doesn’t have to store that information itself. It supports five identity providers out of the box: Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter.
When it is enabled, every incoming HTTP request passes through it before being handled by your application. The middleware also handles several other things for your app:
-
Authenticates users and clients with the specified identity provider(s).
-
Validates, stores, and refreshes OAuth tokens issued by the configured identity provider(s).
-
Manages the authenticated session.
-
Injects identity information into HTTP request headers.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "bad", (1)
"location": "[parameters('location')]",
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"httpsOnly": true
},
"resources": [
{
"type": "config",
"apiVersion": "2019-08-01",
"name": "authsettings",
"properties": {
"enabled": false
}
}
]
}
]
}| 1 | Function app does not enable authentication. |
Terraform
resource "azurerm_function_app" "bad" { (1)
name = "my-funct"
location = "azurerm_resource_group.example.location"
resource_group_name = "azurerm_resource_group.example.name"
app_service_plan_id = "azurerm_app_service_plan.example.id"
storage_account_name = "azurerm_storage_account.example.name"
storage_account_access_key = "azurerm_storage_account.example.primary_access_key"
}| 1 | FLAW, authentication disabled by default |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "good", (1)
"location": "[parameters('location')]",
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"httpsOnly": true
},
"resources": [
{
"type": "config",
"apiVersion": "2019-08-01",
"name": "authsettings",
"properties": {
"enabled": true
}
}
]
}
]
}| 1 | Function app enables authentication. |
Terraform
resource "azurerm_function_app" "bad" {
name = "my-funct"
location = "azurerm_resource_group.example.location"
resource_group_name = "azurerm_resource_group.example.name"
app_service_plan_id = "azurerm_app_service_plan.example.id"
storage_account_name = "azurerm_storage_account.example.name"
storage_account_access_key = "azurerm_storage_account.example.primary_access_key"
auth_settings {
enabled = true (1)
# ... configure authentication here
}
}| 1 | FLAW, authentication disabled by default |