Ensure Azure App Service Web app authentication is On

Error: Azure App Service Web app authentication is Off

Bridgecrew Policy ID: BC_AZR_GENERAL_2
Checkov Check ID: CKV_AZURE_13
Severity: MEDIUM

Azure App Service Web app authentication is Off

Description

Azure App Service Authentication is a feature that prevents anonymous HTTP requests from reaching the API app. Users with tokens are authenticated before they reach the API app. If an anonymous request is received from a browser, App Service redirects to a logon page. To handle the logon process select from a set of identity providers, or implement a custom authentication mechanism.

Enabling App Service Authentication allows every incoming HTTP request to pass through it before being handled by the application code. Authentication of users with specified providers are handled, for example, Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. It also handles authentication of validation, storing and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to App Services.
  3. Click each App.
  4. Navigate to the Setting section, click Authentication / Authorization.
  5. Set App Service Authentication to On.
  6. Select additional parameters as per your requirements.
  7. Click Save.

CLI Command

To set App Service Authentication for an existing app, use the following command:

az webapp auth update 
--resource-group <RESOURCE_GROUP_NAME> 
--name <APP_NAME> 
--enabled true

Fix - Buildtime

Terraform

  • Resource: azurerm_app_service
  • Argument: auth_settings:enabled
resource "azurerm_app_service" "example" {
		...
+   auth_settings {
+       enabled          = true
    ...
    }
}