Use identity-based authentication for App Configuration#
Security · App Configuration · Rule · 2022_09
Authenticate App Configuration clients with Azure AD identities.
Description#
Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials, or by using an access key. Of these two types of authentication schemes, Azure AD provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.
When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Azure AD will succeed.
Recommendation#
Consider only using Azure AD identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.
Examples#
Configure with Azure template#
To deploy configuration stores that pass this rule:
- Set the
properties.disableLocalAuth
property totrue
.
For example:
{
"type": "Microsoft.AppConfiguration/configurationStores",
"apiVersion": "2023-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "standard"
},
"properties": {
"disableLocalAuth": true,
"enablePurgeProtection": true,
"publicNetworkAccess": "Disabled"
}
}
Configure with Bicep#
To deploy configuration stores that pass this rule:
- Set the
properties.disableLocalAuth
property totrue
.
For example:
resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {
name: name
location: location
sku: {
name: 'standard'
}
properties: {
disableLocalAuth: true
enablePurgeProtection: true
publicNetworkAccess: 'Disabled'
}
}
Configure with Bicep Public Registry#
To deploy App Configuration Stores that pass this rule:
- Set the
params.disableLocalAuth
parameter totrue
.
For example:
module store 'br/public:app/app-configuration:1.1.1' = {
name: 'store'
params: {
skuName: 'Standard'
disableLocalAuth: true
enablePurgeProtection: true
publicNetworkAccess: 'Disabled'
}
}
Links#
- Centralize all identity systems
- IM-1: Use centralized identity and authentication system
- Authorize access to Azure App Configuration using Azure Active Directory
- Disable access key authentication
- Public registry
- Azure deployment reference