Skip to content

Use identity-based authentication for App Configuration#

Security · App Configuration · Rule · 2022_09

Authenticate App Configuration clients with Azure AD identities.

Description#

Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials, or by using an access key. Of these two types of authentication schemes, Azure AD provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.

When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Azure AD will succeed.

Recommendation#

Consider only using Azure AD identities to access App Configuration data. Then disable authentication based on access keys or SAS tokens.

Examples#

Configure with Azure template#

To deploy configuration stores that pass this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.AppConfiguration/configurationStores",
  "apiVersion": "2023-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "standard"
  },
  "properties": {
    "disableLocalAuth": true,
    "enablePurgeProtection": true,
    "publicNetworkAccess": "Disabled"
  }
}

Configure with Bicep#

To deploy configuration stores that pass this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Bicep snippet
resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {
  name: name
  location: location
  sku: {
    name: 'standard'
  }
  properties: {
    disableLocalAuth: true
    enablePurgeProtection: true
    publicNetworkAccess: 'Disabled'
  }
}

Configure with Bicep Public Registry#

To deploy App Configuration Stores that pass this rule:

  • Set the params.disableLocalAuth parameter to true.

For example:

Azure Bicep snippet
module store 'br/public:app/app-configuration:1.1.1' = {
  name: 'store'
  params: {
    skuName: 'Standard'
    disableLocalAuth: true
    enablePurgeProtection: true
    publicNetworkAccess: 'Disabled'
  }
}
Last update: 2023-07-15

Comments