Ensure App Service Authentication is Set on Azure App Service

Overview

Azure App Service Authentication is a featured that can prevent anonymous HTTP requests from requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identifty providers can be made, or a custom mechanism can be implmented.

Why?

By enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified providers, validation, storing and refreshing of tokens, managing the authenitcated sessions and injecting identity information into request headers.

Audit

Console

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to App Services
  3. Click on each app
  4. Under Setting section, Click on Authentication / Authorization
  5. Ensure that App Service Authentication set to On

Command Line

az webapp auth show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query enabled

Fix

Command Line

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> -enabled false

Impact

When it’s enabled, every incoming HTTP request passes through it before being handled by the application code. So that an extra level of authentication process will be added to HTTP requests made to the app.