Website Azure Active Directory Disabled
- Query id: e9c133e5-c2dd-4b7b-8fff-40f2de367b56
- Query name: Website Azure Active Directory Disabled
- Platform: AzureResourceManager
- Severity: Low
- Category: Access Control
- CWE: 287
- URL: Github
Description¶
WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource webSitePositive2 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSitePositive2'
location: 'location1'
tags: {}
properties: {
enabled: true
httpsOnly: true
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSitePositive2",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
resource webSitePositive3 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSitePositive3'
location: 'location1'
tags: {}
identity: {
type: 'None'
}
properties: {
enabled: true
httpsOnly: true
}
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSitePositive3",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"identity": {
"type": "None"
},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 5 - bicep file
Positive test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSitePositive3",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"identity": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 7 - bicep file
Positive test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSitePositive2",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 9 - bicep file
Positive test num. 10 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSitePositive3",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"identity": {
"type": "None"
},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 11 - bicep file
Positive test num. 12 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSitePositive3",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"identity": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource webSiteNegative1 'Microsoft.Web/sites@2019-08-01' = {
name: 'webSiteNegative1'
location: 'location1'
identity: {
type: 'SystemAssigned'
}
tags: {}
properties: {
enabled: true
httpsOnly: true
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSiteNegative1",
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"location": "location1",
"identity": {
"type": "SystemAssigned"
},
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": [
]
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
var identityName = 'value'
resource webSiteNegative2 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSiteNegative2'
location: 'location1'
tags: {}
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',identityName)}': {}
}
}
properties: {
enabled: true
httpsOnly: true
}
}
Negative test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {
"identityName": "value"
},
"functions": [],
"resources": [
{
"name": "webSiteNegative2",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
}
},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 5 - bicep file
Negative test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSiteNegative1",
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"location": "location1",
"identity": {
"type": "SystemAssigned"
},
"tags": {},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": [
]
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Negative test num. 7 - bicep file
var identityName = 'value'
resource webSiteNegative2 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSiteNegative2'
location: 'location1'
tags: {}
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',identityName)}': {}
}
}
properties: {
enabled: true
httpsOnly: true
}
}
Negative test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {
"identityName": "value"
},
"functions": [],
"resources": [
{
"name": "webSiteNegative2",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
}
},
"properties": {
"enabled": true,
"httpsOnly": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}