Azure App Service Security โ€“ Comprehensive Guide

Azure App Service Security

Securing Azure Web Apps: VNet Integration for private connectivity, Managed Identity for passwordless access to Azure resources, Easy Auth for built-in authentication, and Key Vault References.

VNet Integration Managed Identity Key Vault Easy Auth

๐Ÿ“‹ App Service Security Overview

Azure App Service has multiple security layers. The four must-enables for every production app:

Security AreaFeatureBenefit
NetworkVNet Integration + Private EndpointNo Public Exposure
IdentityManaged IdentityNo Credentials in Code
SecretsKey Vault ReferencesNo Secrets in App Settings
AuthenticationEasy Auth (EasyAuth)IdP-based Auth without Code
MonitoringDefender for App ServiceThreat Detection
๐Ÿ’ก
Minimum Baseline

Every production App Service should have: HTTPS Only โœ… ยท TLS 1.2 minimum โœ… ยท Managed Identity โœ… ยท Authentication (Entra ID) โœ…

๐ŸŒ Network Isolation

Protect your app from public internet exposure using inbound Private Endpoints and outbound VNet Integration.

1

Private Endpoint โ€” Inbound

Block public access to the App. App accessible only from VNet via Private IP. Set "Public network access" โ†’ Disabled in Azure Portal.

2

VNet Integration โ€” Outbound

App Service routes outbound calls through VNet โ†’ to databases, APIs, Key Vault. Enable in: Networking โ†’ VNet Integration โ†’ Add VNet.

3

Route All Traffic Through VNet

App Settings: WEBSITE_VNET_ROUTE_ALL=1 โ€” all internet traffic routes through your Firewall/NSG first.

๐Ÿšซ
Private Endpoint
Inbound traffic โ€” blocks all public internet access. App reachable only from within VNet via private IP address.
๐Ÿ”—
VNet Integration
Outbound traffic โ€” app calls to databases, Key Vault, storage go through VNet. Enables NSG/Firewall control on egress.

๐Ÿ”‘ Managed Identity + Key Vault References

Instead of storing connection strings in App Settings (visible in Portal), use Managed Identity to access Key Vault:

1

Enable System-Assigned Managed Identity

Portal: App Service โ†’ Identity โ†’ System assigned โ†’ Status: On โ†’ Save. This creates an identity in Entra ID for the app.

2

Grant Key Vault Secrets User Role

Key Vault โ†’ Access control (IAM) โ†’ Add role assignment โ†’ Key Vault Secrets User โ†’ select the App Service's managed identity.

3

Use Key Vault References in App Settings

App Settings value: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/dbconnection/)

โœ… Result: Secret doesn't exist in App Settings โ€” even someone with Portal access can't see the Connection String. App Service automatically resolves the reference at runtime.

Without Managed IdentityWith Managed Identity + Key Vault
Connection string visible in PortalOnly a Key Vault reference โ€” no secret visible
Secret in App Settings (plaintext)Secret lives only in Key Vault
Manual rotation requiredAutomatic rotation supported
Credentials in code or configZero credentials anywhere in app

๐Ÿ”’ Easy Auth โ€” Built-in Authentication

Easy Auth is an authentication module built into App Service that runs before the app code handles any request. Zero lines of auth code required.

โšก
Zero Code Required
Configuration only in Portal or ARM Template. App Service handles the entire OIDC flow automatically.
๐Ÿ”‘
Token Store
App Service stores tokens automatically โ€” app can call Graph/APIs with the user's token via /.auth/me.
SettingRecommended ValueNotes
Identity ProviderMicrosoft (Entra ID)Use your tenant App Registration
Unauthenticated requestsHTTP 401 UnauthorizedNot redirect โ€” APIs should get 401
Token StoreEnabledRequired for on-behalf-of flows
Allowed Token AudiencesYour App URIValidates the aud claim in token
โ„น๏ธ
Supported Identity Providers

Microsoft Entra ID, Google, Facebook, GitHub, Apple, Twitter, and any Custom OpenID Connect provider.

โœ… Checklist โ€” App Service Security

    Network
  • Create Private Endpoint (block public access)
  • Configure VNet Integration for outbound
  • Set WEBSITE_VNET_ROUTE_ALL=1
  • Minimum TLS 1.2
  • HTTPS Only โ€” enabled
  • Identity & Secrets
  • Enable System-Assigned Managed Identity
  • Store all Secrets in Key Vault (not App Settings)
  • Use Key Vault References in App Settings
  • Grant least-privilege RBAC role to Managed Identity
  • Authentication
  • Enable Easy Auth with Entra ID
  • Reject Unauthenticated requests (not redirect)
  • Configure Allowed Token Audiences
  • Monitoring
  • Enable Defender for App Service
  • Configure Diagnostic Logs โ†’ Log Analytics
  • Alert on HTTP 4xx/5xx error spikes