Allowing anonymous access can reduce an organization’s ability to protect itself against attacks on its Azure resources.
Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.
Using authentication coupled with fine-grained authorizations helps bring defense-in-depth and bring traceability to investigators of security incidents.
Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations (Google, Microsoft, etc.) or native Azure mechanisms.
There is a risk if you answered yes to any of these questions.
Enable authentication in this Azure resource, and disable anonymous access.
If only Basic Authentication is available, enable it.
For App Service:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "example"
}
]
}
For API Management:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2022-09-01-preview",
"name": "example"
}
]
}
For Data Factory Linked Services:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "Anonymous"
}
}
}
]
}
For Storage Accounts and Storage Containers:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"properties": {
"allowBlobPublicAccess": true
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2022-09-01",
"name": "blobContainerExample",
"properties": {
"publicAccess": "Blob"
}
}
]
}
]
}
For Redis Caches:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2022-06-01",
"name": "example",
"properties": {
"redisConfiguration": {
"authnotrequired": "true"
}
}
}
]
}
For App Services and equivalent:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "example",
"resources": [
{
"type": "config",
"apiVersion": "2022-03-01",
"name": "authsettingsV2",
"properties": {
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage"
}
}
}
]
}
]
}
For API Management:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2022-09-01-preview",
"name": "example",
"resources": [
{
"type": "portalsettings",
"apiVersion": "2022-09-01-preview",
"name": "signin",
"properties": {
"enabled": true
}
},
{
"type": "apis",
"apiVersion": "2022-09-01-preview",
"name": "exampleApi",
"properties": {
"authenticationSettings": {
"openid": {
"bearerTokenSendingMethods": ["authorizationHeader"],
"openidProviderId": "<an OpenID provider ID>"
}
}
}
}
]
}
]
}
For Data Factory Linked Services:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "Basic"
}
}
}
]
}
For Storage Accounts:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"properties": {
"allowBlobPublicAccess": false
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2022-09-01",
"name": "blobContainerExample",
"properties": {
"publicAccess": "None"
}
}
]
}
]
}
For Redis Caches:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2022-06-01",
"name": "example",
"properties": {
"redisConfiguration": {}
}
}
]
}