Azure Introduction
Azure Pricing
Azure Threats
App Service Authentication Disabled
More Info:
Azure App Service Authentication prevents anonymous HTTP requests to reach the API app. Also, it ensure to authenticate those that have tokens before they reach the API app. Anonymous requests from browser are redirected to a logon page.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, ISO27001, CISAZURE, CBP, HIPAA, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the “App Service Authentication Disabled” misconfiguration in AZURE using the AZURE console, you can follow these steps:
- Open the AZURE console and navigate to the App Service that needs to be remediated.
- Click on the “Authentication/Authorization” option from the left-hand menu.
- Under the “Authentication Providers” section, select the “Azure Active Directory” option.
- Select the “Express” option to set up authentication quickly or “Advanced” to configure custom settings.
- Follow the prompts to configure the authentication settings as per your requirements. You can choose to enable/disable different authentication providers such as Facebook, Google, Twitter, and Microsoft.
- Once you have configured the authentication settings, click on the “Save” button to apply the changes.
By following these steps, you can remediate the “App Service Authentication Disabled” misconfiguration in AZURE using the AZURE console.
To remediate the “App Service Authentication Disabled” misconfiguration in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI on your local machine or in the Azure portal.
-
Login to your Azure account using the command:
az login -
Select the subscription that contains the affected App Service using the command:
az account set --subscription <subscription_id> -
Get the resource ID of the affected App Service using the command:
az webapp show --name <app_service_name> --resource-group <resource_group_name> --query id --output tsv -
Enable App Service Authentication for the App Service using the command:
az webapp auth update --ids <app_service_resource_id> --enabled true -
Configure the authentication settings for the App Service. For example, you can configure authentication using Azure Active Directory, Facebook, Google, Microsoft Account, or Twitter. Here’s an example command to configure authentication using Azure Active Directory:
az webapp auth update --ids <app_service_resource_id> --aad-allowed-token-audiences https://<your_aad_app_id>/ --aad-client-id <your_aad_app_id> --aad-client-secret <your_aad_app_secret> --aad-token-issuer-url https://sts.windows.net/<your_aad_tenant_id>/Note: Replace the placeholders
<your_aad_app_id>,<your_aad_app_secret>, and<your_aad_tenant_id>with your actual Azure Active Directory application ID, application secret, and tenant ID, respectively. -
Verify that App Service Authentication is enabled for the App Service using the command:
az webapp auth show --ids <app_service_resource_id>This command should return the authentication settings for the App Service.
That’s it! You have successfully remediated the “App Service Authentication Disabled” misconfiguration for Azure using Azure CLI.
To remediate the “App Service Authentication Disabled” misconfiguration in Azure using Python, follow these steps:
- Import the necessary modules:
from azure.mgmt.web import WebSiteManagementClient
from azure.common.credentials import ServicePrincipalCredentials
- Set up the credentials for accessing the Azure resource:
subscription_id = '<subscription_id>'
client_id = '<client_id>'
secret = '<client_secret>'
tenant = '<tenant_id>'
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=secret,
tenant=tenant
)
- Instantiate the
WebSiteManagementClient:
web_client = WebSiteManagementClient(credentials, subscription_id)
- Get the list of web apps:
web_apps = web_client.web_apps.list()
- For each web app, check if the app service authentication is disabled. If it is disabled, enable it:
for web_app in web_apps:
if not web_app.site_auth_enabled:
web_client.web_apps.update_site_auth_settings(
resource_group_name='<resource_group_name>',
name=web_app.name,
site_auth_enabled=True
)
-
Replace
<subscription_id>,<client_id>,<client_secret>,<tenant_id>, and<resource_group_name>with the appropriate values. -
Save the Python script and run it to remediate the misconfiguration.