Skip to main content

lacework-global-642

Set up App Service Authentication for apps in Azure App Service (Automated)

Profile Applicability

• Level 2

Description

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. In the case of anonymous requests from a browser, App Service redirects to a logon page. To handle the logon process, you can choose from a set of identity providers, or implement a custom authentication mechanism.

Rationale

By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.

Impact

This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.

Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.

Audit

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to App Services
  3. Click on each App
  4. Under Setting section, Click on Authentication
  5. Ensure that App Service authentication set to Enabled (Will only appear once an Identity provider is set up/selected)

From Azure CLI

To check App Service Authentication status for an existing app, run the following command,

az webapp auth show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query enabled

The output should return true if App Service authentication is set to On.

Remediation

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click each App.
  4. Under Setting section, click Authentication.
  5. If no identity providers exist, then click Add identity provider.
  6. Choose other parameters as per your requirements and click Add.

From Azure CLI

To set App Service Authentication for an existing app, run the following command:

az webapp auth update --resource-group <resource_group_name> --name <app_name> --enabled true

Note

In order to access App Service authentication settings for Web app using Microsoft API requires Website contributor permission at subscription level. You can create a custom role in place of Website contributor to provide more specific permission and maintain the principle of least privileged access.

References

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy

Additional Information

You are not required to use App Service for authentication and authorization. Many web frameworks come with security features, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities. Secure authentication and authorization require deep understanding of security, including federation, encryption, JSON Web Tokens (JWT) management, grant types, and so on.