Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Azure > Appservice >

Authentication Enabled

MEDIUM
Source
Trivy/CSPM
CSPM ID
authentication-enabled
ID
AVD-AZU-0003
management_console terraform

App Service authentication is activated

Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings

Impact

Anonymous HTTP requests will be accepted

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Find the search bar at the top and search for App Services.Step

  3. Select the “App Service” by clicking on “Name” to go to its configuration.Step

  4. Scroll down the selected “App Services” navigation panel and under “Settings” click on “Authentication”.Step

  5. On the “Authentication” page check if “App Service Authentication” is “Disabled”. If it’s “Disabled”, then all unauthenticated requests to the app will not be redirected to the login page. It is recommended to have authentication enabled for all requests.Step

  6. If the “App Service Authentication” is “Disabled”, then click on “Enable authentication” button to enable authentication.Step

  7. Wait for the confirmation message on top right to ensure authentication is now enabled.Step

  8. If there is no “Identity provider” then you will see the “Add identity provider” button. Step

  9. Click on the “Add identity provider” button and choose your desired “Identity provider” by selecting the relevant provider’s name.Step

  10. Now configure the behavior and click “Add” to complete the setup.Step

  11. Verify that “Authentication” is now enabled.Step

  12. Repeat steps 3 to 11 to enable “Authentication” across all “App Services” in the account.

Enable authentication to prevent anonymous request being accepted

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 resource "azurerm_app_service" "good_example" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id
 
   auth_settings {
     enabled = true
   }
 }
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use