Ensure that App Service Authentication feature is enabled for Microsoft Azure App Service to add an extra layer of security to the authentication process implemented by your web applications.
By default, App Service Authentication feature is disabled when a new web application is created using the Azure Command Line Interface (CLI) or Azure Management Console. Therefore, all new applications have anonymous access enabled and this allows users to log in without being prompted for login. By enabling Azure App Service Authentication, every incoming HTTP request passes through it before being handled by the web application code. The feature also handles authentication of users with a specific provider such as Azure Active Directory (AAD), Google, Facebook, Twitter and Microsoft Account, validation, storing and refreshing of access tokens, managing the authenticated sessions, and injecting identity information into request headers.
Audit
To determine if Microsoft Azure App Service Authentication is enabled, perform the following actions:
Remediation / Resolution
To enable and configure Microsoft Azure App Service Authentication for your existing web apps, perform the following actions:
References
- Azure Official Documentation
- App Service
- Authentication and authorization in Azure App Service
- Configure your App Service app to use Azure AD login
- Configure your App Service app to use Facebook login
- Configure your App Service app to use Google login
- Configure your App Service app to use Microsoft Account login
- Configure your App Service app to use Twitter login
- CIS Microsoft Azure Foundations
- Azure PowerShell Documentation
- az webapp
- az webapp list
- az webapp auth
- az webapp auth show
- az webapp auth update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Enable App Service Authentication
Risk level: Medium