Azure App Service Web app authentication is off
Description
Azure App Service Authentication is a feature that prevents anonymous HTTP requests from reaching the API app. Users with tokens are authenticated before they reach the API app. If an anonymous request is received from a browser, App Service redirects to a logon page. To handle the logon process, select from a set of identity providers or implement a custom authentication mechanism. Enabling App Service Authentication allows every incoming HTTP request to pass through it before being handled by the application code. Authentication of users with specified providers are handled, for example, Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. It also handles authentication of validation, storing and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.
Code Example
resource "azurerm_app_service" "example" {
...
+ auth_settings {
+ enabled = true
...
}
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * App Services*.
. Click each * App*.
. Navigate to the * Setting* section, click * Authentication / Authorization*.
. Set * App Service Authentication * to* * On*.
. Select additional parameters as per your requirements.
. Click * Save*.
- CLI Command*
To set * App Service Authentication* for an existing app, use the following command:
az webapp auth update --resource-group & lt;RESOURCE_GROUP_NAME> --name & lt;APP_NAME> --enabled true
=== Fix - Buildtime
Terraform
- Resource: azurerm_app_service
- Arguments: auth_settings:enabled
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0524 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_13 |