Ensure App Service Authentication is Set on Azure App Service
Overview
Azure App Service Authentication is a featured that can prevent anonymous HTTP requests from requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identifty providers can be made, or a custom mechanism can be implmented.
Why?
By enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified providers, validation, storing and refreshing of tokens, managing the authenitcated sessions and injecting identity information into request headers.
Audit
Console
- Login to Azure Portal using https://portal.azure.com
- Go to App Services
- Click on each app
- Under Setting section, Click on Authentication / Authorization
- Ensure that App Service Authentication set to On
Command Line
az webapp auth show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query enabled
Fix
Command Line
az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> -enabled false
Impact
When it’s enabled, every incoming HTTP request passes through it before being handled by the application code. So that an extra level of authentication process will be added to HTTP requests made to the app.
