rules/findings/azure/appservices/azure-app-authentication-disabled.json
|
{
"args": [], "provider": "Azure", "serviceType": "App Service", "serviceName": "Hosted Services", "displayName": "Ensure authentication is set to 'Enabled' for _ARG_0_", "description": "App Service authentication can prevent anonymous HTTP requests from reaching an app, or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a login page. To handle the login process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.", "rationale": "By enabling authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storage and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.", "impact": "This is only required for apps that require authentication. Enabling it on a site like a marketing or support website will prevent unauthenticated access, which would be undesirable.<br/><br/>Adding an authentication requirement will increase costs and require additional security components to facilitate the authentication.", "remediation": { "text": " #### Remediate from Azure Portal 1. Go to App Services. 2. Click the name of an app. 3. Under Settings, click Authentication. 4. If an identity provider is not configured: 1. Click Add identity provider. 2. Provide appropriate configuration for an identity provider and click Add. 5. If App Service authentication is set to Disabled: 1. Click Enable authentication. 6. Repeat steps 1-5 for each app requiring remediation. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization", "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor", "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements", "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "2.0.0", "reference": "2.1.12", "profile": [ "Level 2" ] } ], "level": "low", "tags": [], "rule": { "path": "az_app_services", "subPath": null, "selectCondition": [ { "filter": [ { "include": "_ARG_1_" } ] } ], "query": [ { "filter": [ { "conditions": [ [ "eq", "authSettingsV2" ], [ "authSettingsV2.properties.platform.enabled", "eq", "False" ] ], "operator":"or" } ] }, { "connectOperator":"and", "filter": [ { "conditions": [ [ "eq", "authSettings" ], [ "authSettings.properties.enabled", "eq", "False" ] ], "operator":"or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "authSettings":"Auth Settings", "authSettingsV2":"Auth Settings V2" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "name", "location", "resourceGroupName", "authSettings", "authSettingsV2" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "authSettings":"Auth Settings", "authSettingsV2":"Auth Settings V2" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure 'App Service authentication' is set to 'Enabled' for {name}", "defaultMessage": "Ensure authentication is set to 'Enabled' for _ARG_0_" }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_app_service_authentication_disabled__ARG_2_", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_app_service__ARG_3_" } |