Allowing anonymous access can reduce an organization’s ability to protect itself against attacks on its Azure resources.
Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.
Using authentication coupled with fine-grained authorizations helps bring defense-in-depth and bring traceability to investigators of security incidents.
Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations (Google, Microsoft, etc.) or native Azure mechanisms.
There is a risk if you answered yes to any of these questions.
Enable authentication in this Azure resource, and disable anonymous access.
If only Basic Authentication is available, enable it.
For App Service:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "example"
}
]
}
resource appService 'Microsoft.Web/sites@2022-09-01' = {
name: 'example'
// Sensitive: no authentication defined
}
For API Management:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2022-09-01-preview",
"name": "example"
}
]
}
resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
name: 'example'
// Sensitive: no portal authentication defined
resource apis 'apis@2022-09-01-preview' = {
name: 'exampleApi'
properties: {
path: '/test'
// Sensitive: no API authentication defined
}
}
}
For Data Factory Linked Services:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "Anonymous"
}
}
}
]
}
resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
name: 'example'
properties: {
type: 'Web'
typeProperties: {
authenticationType: 'Anonymous' // Sensitive
}
}
}
For Storage Accounts and Storage Containers:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"properties": {
"allowBlobPublicAccess": true
}
}
]
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
properties: {
allowBlobPublicAccess: true // Sensitive
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2022-09-01",
"name": "blobContainerExample",
"properties": {
"publicAccess": "Blob"
}
}
]
}
]
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
resource blobService 'blobServices@2022-09-01' = {
name: 'default'
resource containers 'containers@2022-09-01' = {
name: 'exampleContainer'
properties: {
publicAccess: 'Blob' // Sensitive
}
}
}
}
For Redis Caches:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2022-06-01",
"name": "example",
"properties": {
"redisConfiguration": {
"authnotrequired": "true"
}
}
}
]
}
resource redisCache 'Microsoft.Cache/redis@2023-04-01' = {
name: 'example'
location: location
properties: {
redisConfiguration: {
authnotrequired: 'true' // Sensitive
}
}
}
For App Services and equivalent:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "example",
"resources": [
{
"type": "config",
"apiVersion": "2022-03-01",
"name": "authsettingsV2",
"properties": {
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage"
}
}
}
]
}
]
}
resource appService 'Microsoft.Web/sites@2022-09-01' = {
name: 'example'
resource authSettings 'config@2022-09-01' = { // Compliant
name: 'authsettingsV2'
properties: {
globalValidation: {
requireAuthentication: true
unauthenticatedClientAction: 'AllowAnonymous'
}
platform: {
enabled: true
}
}
}
}
For API Management:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2022-09-01-preview",
"name": "example",
"resources": [
{
"type": "portalsettings",
"apiVersion": "2022-09-01-preview",
"name": "signin",
"properties": {
"enabled": true
}
},
{
"type": "apis",
"apiVersion": "2022-09-01-preview",
"name": "exampleApi",
"properties": {
"authenticationSettings": {
"openid": {
"bearerTokenSendingMethods": ["authorizationHeader"],
"openidProviderId": "<an OpenID provider ID>"
}
}
}
}
]
}
]
}
resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
name: 'example'
resource portalSettings 'portalsettings@2022-09-01-preview' = {
name: 'signin'
properties: {
enabled: true // Compliant: Sign-in is enabled for portal access
}
}
resource apis 'apis@2022-09-01-preview' = {
name: 'exampleApi'
properties: {
path: '/test'
authenticationSettings: { // Compliant: API has authentication enabled
openid: {
bearerTokenSendingMethods: ['authorizationHeader']
openidProviderId: '<an OpenID provider ID>'
}
}
}
}
}
For Data Factory Linked Services:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "Basic"
}
}
}
]
}
@secure()
@description('The password for authentication')
param password string
resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
name: 'example'
properties: {
type: 'Web'
typeProperties: {
authenticationType: 'Basic' // Compliant
username: 'test'
password: {
type: 'SecureString'
value: password
}
}
}
}
For Storage Accounts:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"properties": {
"allowBlobPublicAccess": false
}
}
]
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
properties: {
allowBlobPublicAccess: false // Compliant
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2022-09-01",
"name": "blobContainerExample",
"properties": {
"publicAccess": "None"
}
}
]
}
]
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
resource blobService 'blobServices@2022-09-01' = {
name: 'default'
resource containers 'containers@2022-09-01' = {
name: 'exampleContainer'
properties: {
publicAccess: 'None' // Compliant
}
}
}
}
For Redis Caches:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2022-06-01",
"name": "example",
"properties": {
"redisConfiguration": {}
}
}
]
}
resource redisCache 'Microsoft.Cache/redis@2023-04-01' = {
name: 'example'
location: location
properties: {
redisConfiguration: {
// Compliant: authentication is enabled by default
}
}
}