compliance controls are associated with this Policy definition 'App Service apps should have authentication enabled' (95bccee9-a7f8-4bec-9ee9-62c3473701fc)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
9.1 |
CIS_Azure_1.1.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
| CIS_Azure_1.3.0 |
9.1 |
CIS_Azure_1.3.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
| CIS_Azure_1.4.0 |
9.1 |
CIS_Azure_1.4.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
| CIS_Azure_2.0.0 |
9.1 |
CIS_Azure_2.0.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.
Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. |
link |
5 |
| NZ_ISM_v3.5 |
SS-9 |
NZ_ISM_v3.5_SS-9 |
NZISM Security Benchmark SS-9 |
Software security |
14.5.8 Web applications |
Customer |
n/a |
The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications. |
link |
12 |
| RMiT_v1.0 |
10.54 |
RMiT_v1.0_10.54 |
RMiT 10.54 |
Access Control |
Access Control - 10.54 |
Shared |
n/a |
A financial institution must implement an appropriate access controls policy for the identification, authentication and authorisation of users (internal and external users such as third party service providers). This must address both logical and physical technology access controls which are commensurate with the level of risk of unauthorised access to its technology systems. |
link |
17 |