Multiple Azure resource types support authentication configuration, and several allow anonymous access to be explicitly enabled or left unconfigured. Allowing anonymous access can expose sensitive data and operations to unauthorized users.
Allowing anonymous access to Azure resources means that any request, regardless of origin, can interact with the resource without providing credentials. For services such as App Service, API Management, Data Factory linked services, Storage Accounts, and Redis Caches, unauthenticated access can expose sensitive data and operations to unauthorized users. Enabling authentication ensures that only verified identities can access these resources, and provides an audit trail for investigators of security incidents.
If anonymous access is permitted, an attacker can read, modify, or delete data and trigger operations without authentication. Depending on the resource type, this can result in data breaches, unauthorized API calls, service disruption, or unexpected Azure subscription costs due to resource abuse.
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
For App Service:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "example"
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "example",
"resources": [
{
"type": "config",
"apiVersion": "2022-03-01",
"name": "authsettingsV2",
"properties": {
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"platform": {
"enabled": true
}
}
}
]
}
]
}
For API Management:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2022-09-01-preview",
"name": "example"
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2022-09-01-preview",
"name": "example",
"resources": [
{
"type": "portalsettings",
"apiVersion": "2022-09-01-preview",
"name": "signin",
"properties": {
"enabled": true
}
},
{
"type": "apis",
"apiVersion": "2022-09-01-preview",
"name": "exampleApi",
"properties": {
"authenticationSettings": {
"openid": {
"bearerTokenSendingMethods": ["authorizationHeader"],
"openidProviderId": "<an OpenID provider ID>"
}
}
}
}
]
}
]
}
For Data Factory Linked Services:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "Anonymous"
}
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"pfx": {
"type": "securestring"
},
"pfxPassword": {
"type": "securestring"
}
},
"resources": [
{
"type": "Microsoft.DataFactory/factories/linkedservices",
"apiVersion": "2018-06-01",
"name": "example",
"properties": {
"type": "Web",
"typeProperties": {
"authenticationType": "ClientCertificate",
"url": "https://example.com",
"pfx": {
"type": "SecureString",
"value": "[parameters('pfx')]"
},
"password": {
"type": "SecureString",
"value": "[parameters('pfxPassword')]"
}
}
}
}
]
}
For Storage Accounts:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"properties": {
"allowBlobPublicAccess": true
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"properties": {
"allowBlobPublicAccess": false
}
}
]
}
For Storage Containers:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2022-09-01",
"name": "blobContainerExample",
"properties": {
"publicAccess": "Blob"
}
}
]
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "example",
"resources": [
{
"type": "blobServices/containers",
"apiVersion": "2022-09-01",
"name": "blobContainerExample",
"properties": {
"publicAccess": "None"
}
}
]
}
]
}
For Redis Caches:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2022-06-01",
"name": "example",
"properties": {
"redisConfiguration": {
"authnotrequired": "true"
}
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2022-06-01",
"name": "example",
"properties": {
"redisConfiguration": {}
}
}
]
}
The following code allows anonymous access to the Azure resource, leaving it accessible to any caller without authentication.
For App Service:
resource appService 'Microsoft.Web/sites@2022-09-01' = {
name: 'example'
// Noncompliant: no authentication defined
}
resource appService 'Microsoft.Web/sites@2022-09-01' = {
name: 'example'
resource authSettings 'config@2022-09-01' = { // Compliant
name: 'authsettingsV2'
properties: {
globalValidation: {
requireAuthentication: true
unauthenticatedClientAction: 'RedirectToLoginPage'
}
platform: {
enabled: true
}
}
}
}
For API Management:
resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
name: 'example'
// Noncompliant: no portal authentication defined
resource apis 'apis@2022-09-01-preview' = {
name: 'exampleApi'
properties: {
path: '/test'
// Noncompliant: no API authentication defined
}
}
}
resource apiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
name: 'example'
resource portalSettings 'portalsettings@2022-09-01-preview' = {
name: 'signin'
properties: {
enabled: true // Compliant: Sign-in is enabled for portal access
}
}
resource apis 'apis@2022-09-01-preview' = {
name: 'exampleApi'
properties: {
path: '/test'
authenticationSettings: { // Compliant: API has authentication enabled
openid: {
bearerTokenSendingMethods: ['authorizationHeader']
openidProviderId: '<an OpenID provider ID>'
}
}
}
}
}
For Data Factory Linked Services:
resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
name: 'example'
properties: {
type: 'Web'
typeProperties: {
authenticationType: 'Anonymous' // Noncompliant
}
}
}
@secure()
@description('The PFX certificate for authentication, base64-encoded')
param pfx string
@secure()
@description('The password for the PFX certificate')
param pfxPassword string
resource linkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
name: 'example'
properties: {
type: 'Web'
typeProperties: {
authenticationType: 'ClientCertificate'
url: 'https://example.com'
pfx: {
type: 'SecureString'
value: pfx
}
password: {
type: 'SecureString'
value: pfxPassword
}
}
}
}
For Storage Accounts:
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
properties: {
allowBlobPublicAccess: true // Noncompliant
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
properties: {
allowBlobPublicAccess: false // Compliant
}
}
For Storage Containers:
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
resource blobService 'blobServices@2022-09-01' = {
name: 'default'
resource containers 'containers@2022-09-01' = {
name: 'exampleContainer'
properties: {
publicAccess: 'Blob' // Noncompliant
}
}
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'example'
resource blobService 'blobServices@2022-09-01' = {
name: 'default'
resource containers 'containers@2022-09-01' = {
name: 'exampleContainer'
properties: {
publicAccess: 'None' // Compliant
}
}
}
}
For Redis Caches:
resource redisCache 'Microsoft.Cache/redis@2023-04-01' = {
name: 'example'
location: location
properties: {
redisConfiguration: {
authnotrequired: 'true' // Noncompliant
}
}
}
resource redisCache 'Microsoft.Cache/redis@2023-04-01' = {
name: 'example'
location: location
properties: {
redisConfiguration: {
// Compliant: authentication is enabled by default
}
}
}