Remediate AWS CIS v3.0 and v4.0 with Flowpipe's interactive wizard →
Flowpipe Hub 
Hub
standard
turbot/azure_cis
Overview
170
Pipelines
0
Triggers
5
VariablesGitHub

Pipeline: 9.2 Ensure App Service Authentication is set up for apps in Azure App Service

Description

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.

Remediation

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Setting section, click on Authentication.
  5. If no identity providers are set up, then click Add identity provider.
  6. Choose other parameters as per your requirements and click on Add.

To disable the Basic Auth Publishing Credentials setting, perform the following steps:

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click on each App.
  4. Under Settings, click on Configuration.
  5. Click on the 'General Settings' tab.
  6. Under Platform settings, ensure Basic Auth Publishing Credentials is set to Off.

From Azure CLI

To set App Service Authentication for an existing app, run the following command:

az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true

Note: In order to access App Service authentication settings for Web app using Microsoft API requires Website contributor permission at subscription level. A custom role can be created in place of Website contributor to provide more specific permission and maintain the principle of least privileged access.

Default Value

By default, App Service Authentication is disabled when a new app is created using the command-line tool or Azure Portal console.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run azure_cis.pipeline.cis_v300_9_2

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
  pipeline = azure_cis.pipeline.cis_v300_9_2  
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/9 App Service