Skip to main content

πŸ›‘οΈ Azure App Service Authentication is disabled and Basic Authentication is enabled🟒

  • Contextual name: πŸ›‘οΈ Authentication is disabled and Basic Authentication is enabled🟒
  • ID: /ce/ca/azure/app-service/enable-app-auth-and-disable-basic-auth
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY, SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-ca52f63a2

Description​

Open File

Description​

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a web application or authenticate those requests with tokens before they reach the app. If an anonymous request is received from a browser, App Service redirects to a login page. To handle the login process, you can choose from a set of identity providers or implement a custom authentication mechanism.

Rationale​

By enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing authenticated sessions, and injecting identity information into request headers. Disabling HTTP Basic Authentication further ensures legacy authentication methods are disabled within the application.

Impact​

This is only required for App Services that require authentication. Enabling it on a site like a marketing or support website will prevent unauthenticated access, which may be undesirable.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Log in to the Azure portal using https://portal.azure.com.
  2. Go to App Services.
  3. Select each app.
  4. Under Settings, select Authentication.
  5. If no identity providers are set up, then click Add identity provider.
  6. Choose other parameters as required and click Add.

To disable the Basic Auth Publishing Credentials setting, perform the following steps:

  1. Log in to the Azure portal using https://portal.azure.com.
  2. Go to App Services.
  3. Select each app.
  4. Under Settings, select Configuration.
  5. Select the General Settings tab.
  6. Under Platform settings, ensure Basic Auth Publishing Credentials is set to Off.

From Azure CLI​

To set App Service Authentication for an existing app, run the following command:

az webapp auth update \
    --resource-group {{resource-group-name}} \
    --name {{app-name}} \
    --enabled true

Note: Accessing App Service authentication settings for a web app using the Microsoft API requires Website contributor permission at the subscription level. A custom role can be created in place of Website contributor to provide more specific permissions and maintain the principle of least privilege.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set on Azure App Service11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set on Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)1no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 9.2 Ensure App Service Authentication is set up for apps in Azure App Service (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access75no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration69no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)237105no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)21416no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61437no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)8no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)137no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)189no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)216no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)437no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights312no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1127no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1024no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code822no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization43no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement3269123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3133no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1221no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.3 Block unauthenticated inbound connections by default23no data