[Security] Implement Application-Level Authentication #19
Description
Summary
Implement authentication for the web application using Azure AD Easy Auth or Azure AD B2C to protect against credential theft and unauthorized access.
Threats Addressed
- T-003: Credential Theft/Stuffing (High Risk)
Current State
- No authentication mechanism defined in infrastructure
- Application endpoints are publicly accessible without identity verification
Acceptance Criteria
- Azure AD App Registration created
- Easy Auth (authsettingsV2) configured on App Service
- Authentication required for all routes (or configured allow list)
- Unauthenticated requests redirected to login
- MFA enforced via Conditional Access policy
- Sign-in risk policies enabled in Azure AD
Implementation Reference
See security-plan-sample-web-app.md for Bicep code samples.
\\�icep
resource appServiceAuthSettings 'Microsoft.Web/sites/config@2023-12-01' = {
parent: appService
name: 'authsettingsV2'
properties: {
globalValidation: {
requireAuthentication: true
unauthenticatedClientAction: 'RedirectToLoginPage'
}
identityProviders: {
azureActiveDirectory: {
enabled: true
registration: {
openIdIssuer: 'https://sts.windows.net/\/v2.0'
clientId: ''
}
}
}
}
}
\\
Priority
P1 - Critical - Implement immediately