MEDIUM
Source
Trivy/CSPM
CSPM ID
authentication-enabled
ID
AVD-AZU-0003

App Service authentication is activated

Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings

Impact

Anonymous HTTP requests will be accepted

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.
  2. Select the “Search resources, services, and docs” option at the top and search for App Services. Step
  3. Select the “App Services” by clicking on the “Name” link to access the configuration changes.Step
  4. Scroll down the selected “App Services” navigation panel and in “Settings” click on the “Authentication / Authorization” option.Step
  5. On the “Authentication / Authorization” page check if “App Service Authentication” is “ON/OFF”. If it’s turned “OFF” all unauthenticated requests to the login page will not be redirected. Step
  6. Repeat steps number 2 - 5 to cross check “Authentication / Authorization” for other “App Services."
  7. Navigate to the “App Services”, select the “App Service” and click on the “Name”, select the “Authentication / Authorization” under “Settings.”Step
  8. Click on the “ON” option under “App Service Authentication” and click on the “Save” button at the top to make the chamges.Step
  9. Repeat above steps for enabling “Authentication” to redirect all unauthenticated requests to the login page.

Enable authentication to prevent anonymous request being accepted

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
resource "azurerm_app_service" "good_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  
  auth_settings {
    enabled = true
  }
}