Skip to main content

πŸ›‘οΈ Azure App Service Authentication is disabled and Basic Authentication is enabled🟒

  • Contextual name: πŸ›‘οΈ Authentication is disabled and Basic Authentication is enabled🟒
  • ID: /ce/ca/azure/app-service/enable-app-auth-and-disable-basic-auth
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY, SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-ca52f63a2

Description​

Open File

Description​

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

Rationale​

By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.

Impact​

This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Setting section, click on Authentication.
  5. If no identity providers are set up, then click Add identity provider.
  6. Choose other parameters as per your requirements and click on Add.

To disable the Basic Auth Publishing Credentials setting, perform the following steps:

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Settings, click on Configuration.
  5. Click on the General Settings tab.
  6. Under Platform settings, ensure Basic Auth Publishing Credentials is set to Off.

From Azure CLI​

To set App Service Authentication for an existing app, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true

Note: In order to access App Service authentication settings for Web app using Microsoft API requires Website contributor permission at subscription level. A custom role can be created in place of Website contributor to provide more specific permission and maintain the principle of least privileged access.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set on Azure App Service11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set on Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 9.1 Ensure App Service Authentication is set up for apps in Azure App Service - Level 2 (Automated)1no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 9.2 Ensure App Service Authentication is set up for apps in Azure App Service (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access57no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration45no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23681no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)21416no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)8no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)166no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)216no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights312no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1127no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1024no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code822no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained69no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326891no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1217no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.3 Block unauthenticated inbound connections by default23no data