Azure Policy to audit app service authentication

Question

How can I create a Azure policy to audit app services authentication? I would like to enforce that all app services have Active Directory Authentication enabled, and flag other authentication methods as non-compliant.

Answer 1

This is not possible today. You can audit your app services to check that authentication is enabled. But you cannot specify a specific identity provider as part of the policy.

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Web/sites/config"
            },
            {
                "field": "Microsoft.Web/sites/config/siteAuthEnabled",
                "equals": "false"
            }
        ]
    },
    "then": {
        "effect": "audit"
    }
}

A policy to insure that Azure AD is the identity provider, you would need something like this (which won't work today). Since there is not an alias to support the field Microsoft.Web/sites/config/siteAuthSettings.issuer, it won't work.

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Web/sites/config"
            },
            {
                "field": "Microsoft.Web/sites/config/siteAuthEnabled",
                "equals": "false"
            },
            {
                "field": "Microsoft.Web/sites/config/siteAuthSettings.issuer",
                "like": "https://sts.windows.net/*"
            }
        ]
    },
    "then": {
        "effect": "audit"
    }
}

The guidance is to submit an issue here to request an alias be added, which it appears you did already. Posting it here in case others want to follow it.