Disabling certificate-based authentication can reduce an organization’s ability to react against attacks on its critical functions and data.
Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and certificate-based authentication.
Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa. It cannot be forged or forwarded by a man-in-the-middle eavesdropper, and the certificate’s private key is never sent over the network so it’s harder to steal than a password.
In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster. For example, all compromised certificates could be revoked individually, or an issuing certificate could be revoked which causes all the certificates it issued to become untrusted.
There is a risk if you answered yes to any of those questions.
Enable certificate-based authentication.
Where the use of client certificates is controlled by a boolean value, such as:
Microsoft.Web/sites with clientCertEnabled Microsoft.SignalRService/signalR with tls → clientCertEnabled Microsoft.SignalRService/webPubSub with tls → clientCertEnabled Microsoft.ApiManagement/service/gateways/hostnameConfigurations with negotiateClientCertificate
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.SignalRService/webPubSub",
"apiVersion": "2020-07-01-preview",
"name": "example",
"properties": {
"tls": {
"clientCertEnabled": false
}
}
}
]
}
resource example 'Microsoft.SignalRService/webPubSub@2020-07-01-preview' = {
name: 'example'
properties: {
tls: {
clientCertEnabled: false // Sensitive
}
}
}
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2015-08-01",
"name": "example",
"properties": {
"clientCertEnabled": false
}
}
]
}
resource example 'Microsoft.Web/sites@2015-08-01' = {
name: 'example'
properties: {
clientCertEnabled: false // Sensitive
}
}
Where the use of client certificates can be made optional, such as:
Microsoft.Web/sites with clientCertMode Microsoft.App/containerApps with configuration →
ingress → clientCertificateMode
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2015-08-01",
"name": "example",
"properties": {
"clientCertEnabled": true,
"clientCertMode": "Optional"
}
}
]
}
resource example 'Microsoft.Web/sites@2015-08-01' = {
name: 'example'
properties: {
clientCertEnabled: true
clientCertMode: 'Optional' // Sensitive
}
}
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2022-03-01",
"name": "example",
"properties": {
"ingress": {
"clientCertificateMode": "accept"
}
}
}
]
}
resource example 'Microsoft.App/containerApps@2022-03-01' = {
name: 'example'
properties: {
ingress: {
clientCertificateMode: 'accept' // Sensitive
}
}
}
Where client certificates can be used to authenticate outbound requests, such as:
Microsoft.DataFactory/factories/linkedservices with typeProperties → authenticationType where the request type is Web or HttpServer Microsoft.DataFactory/factories/pipelines with activites → typeProperties → authentication → type where the activity type is WebActivity or WebHook Microsoft.Scheduler/jobCollections/jobs with action → request → authentication → type Microsoft.Scheduler/jobCollections/jobs with action → errorAction → request → authentication → type
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "Basic"
}
}
}
]
}
resource example 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
name: 'example'
properties: {
type: 'Web'
typeProperties: {
authenticationType: 'Basic' // Sensitive
}
}
}
Where a list of permitted client certificates must be provided, such as:
Microsoft.DocumentDB/cassandraClusters with clientCertificates Microsoft.Network/applicationGateways with trustedClientCertificates Microsoft.ServiceFabric/clusters with clientCertificateCommonNames or clientCertificateThumbprints
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DocumentDB/cassandraClusters",
"apiVersion": "2021-10-15",
"name": "example",
"properties": {
"clientCertificates": []
}
}
]
}
resource example 'Microsoft.DocumentDB/cassandraClusters@2021-10-15' = {
name: 'example'
properties: {
clientCertificates: [] // Sensitive
}
}
Where a resouce can use both certificate-based and password-based authentication, such as:
Microsoft.ContainerRegistry/registries/tokens with credentials → certficates and credentials → passwords
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/tokens",
"apiVersion": "2022-12-01",
"name": "example",
"properties": {
"credentials": {
"passwords": [
{
"name": "password1"
}
]
}
}
}
]
}
resource example 'Microsoft.ContainerRegistry/registries/tokens@2022-12-01' = {
name: 'example'
properties: {
credentials: {
passwords: [ // Sensitive
{
name: 'password1'
}
]
}
}
}
Where the use of client certificates is controlled by a boolean value:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.SignalRService/webPubSub",
"apiVersion": "2020-07-01-preview",
"name": "example",
"properties": {
"tls": {
"clientCertEnabled": true
}
}
}
]
}
resource example 'Microsoft.SignalRService/webPubSub@2020-07-01-preview' = {
name: 'example'
properties: {
tls: {
clientCertEnabled: true // Compliant
}
}
}
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2015-08-01",
"name": "example",
"properties": {
"clientCertEnabled": true,
"clientCertMode": "Required"
}
}
]
}
resource example 'Microsoft.Web/sites@2015-08-01' = {
name: 'example'
properties: {
clientCertEnabled: true // Compliant
clientCertMode: 'Required'
}
}
Where the use of client certificates can be made optional:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2015-08-01",
"name": "example",
"properties": {
"clientCertEnabled": true,
"clientCertMode": "Required"
}
}
]
}
resource example 'Microsoft.Web/sites@2015-08-01' = {
name: 'example'
properties: {
clientCertEnabled: true
clientCertMode: 'Required' // Sensitive
}
}
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.App/containerApps",
"apiVersion": "2022-03-01",
"name": "example",
"properties": {
"ingress": {
"clientCertificateMode": "require"
}
}
}
]
}
resource example 'Microsoft.App/containerApps@2022-03-01' = {
name: 'example'
properties: {
ingress: {
clientCertificateMode: 'require' // Sensitive
}
}
}
Where client certificates can be used to authenticate outbound requests:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "ClientCertificate"
}
}
}
]
}
resource example 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
name: 'example'
properties: {
type: 'Web'
typeProperties: {
authenticationType: 'ClientCertificate' // Compliant
}
}
}
Where a list of permitted client certificates must be provided:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DocumentDB/cassandraClusters",
"apiVersion": "2021-10-15",
"name": "example",
"properties": {
"clientCertificates": [
{
"pem": "[base64-encoded certificate]"
}
]
}
}
]
}
resource example 'Microsoft.DocumentDB/cassandraClusters@2021-10-15' = {
name: 'example'
properties: {
clientCertificates: [ // Compliant
{
pem: '[base64-encoded certificate]'
}
]
}
}
Where a resouce can use both certificate-based and password-based authentication:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/tokens",
"apiVersion": "2022-12-01",
"name": "example",
"properties": {
"credentials": {
"certificates": [
{
"name": "certificate1",
"encodedPemCertificate": "[base64-encoded certificate]"
}
]
}
}
}
]
}
resource example 'Microsoft.ContainerRegistry/registries/tokens@2022-12-01' = {
name: 'example'
properties: {
credentials: {
certificates: [ // Compliant
{
name: 'certificate1'
encodedPemCertificate: '[base64-encoded certificate]'
}
]
}
}
}