MEDIUM
Source
Trivy/CSPM
CSPM ID
authentication-enabled
ID
AVD-AZU-0003

App Service authentication is activated

Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings

Impact

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Find the search bar at the top and search for App Services.Step

  3. Select the “App Service” by clicking on “Name” to go to its configuration.Step

  4. Scroll down the selected “App Services” navigation panel and under “Settings” click on “Authentication”.Step

  5. On the “Authentication” page check if “App Service Authentication” is “Disabled”. If it’s “Disabled”, then all unauthenticated requests to the app will not be redirected to the login page. It is recommended to have authentication enabled for all requests.Step

  6. If the “App Service Authentication” is “Disabled”, then click on “Enable authentication” button to enable authentication.Step

  7. Wait for the confirmation message on top right to ensure authentication is now enabled.Step

  8. If there is no “Identity provider” then you will see the “Add identity provider” button. Step

  9. Click on the “Add identity provider” button and choose your desired “Identity provider” by selecting the relevant provider’s name.Step

  10. Now configure the behavior and click “Add” to complete the setup.Step

  11. Verify that “Authentication” is now enabled.Step

  12. Repeat steps 3 to 11 to enable “Authentication” across all “App Services” in the account.

Enable authentication to prevent anonymous request being accepted

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id

  auth_settings {
    enabled = true
  }
}