Azure App Service Security โ Comprehensive Guide
Azure App Service Security
Securing Azure Web Apps: VNet Integration for private connectivity, Managed Identity for passwordless access to Azure resources, Easy Auth for built-in authentication, and Key Vault References.
๐ App Service Security Overview
Azure App Service has multiple security layers. The four must-enables for every production app:
| Security Area | Feature | Benefit |
|---|---|---|
| Network | VNet Integration + Private Endpoint | No Public Exposure |
| Identity | Managed Identity | No Credentials in Code |
| Secrets | Key Vault References | No Secrets in App Settings |
| Authentication | Easy Auth (EasyAuth) | IdP-based Auth without Code |
| Monitoring | Defender for App Service | Threat Detection |
Every production App Service should have: HTTPS Only โ ยท TLS 1.2 minimum โ ยท Managed Identity โ ยท Authentication (Entra ID) โ
๐ Network Isolation
Protect your app from public internet exposure using inbound Private Endpoints and outbound VNet Integration.
Private Endpoint โ Inbound
Block public access to the App. App accessible only from VNet via Private IP. Set "Public network access" โ Disabled in Azure Portal.
VNet Integration โ Outbound
App Service routes outbound calls through VNet โ to databases, APIs, Key Vault. Enable in: Networking โ VNet Integration โ Add VNet.
Route All Traffic Through VNet
App Settings: WEBSITE_VNET_ROUTE_ALL=1 โ all internet traffic routes through your Firewall/NSG first.
๐ Managed Identity + Key Vault References
Instead of storing connection strings in App Settings (visible in Portal), use Managed Identity to access Key Vault:
Enable System-Assigned Managed Identity
Portal: App Service โ Identity โ System assigned โ Status: On โ Save. This creates an identity in Entra ID for the app.
Grant Key Vault Secrets User Role
Key Vault โ Access control (IAM) โ Add role assignment โ Key Vault Secrets User โ select the App Service's managed identity.
Use Key Vault References in App Settings
App Settings value: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/dbconnection/)
โ Result: Secret doesn't exist in App Settings โ even someone with Portal access can't see the Connection String. App Service automatically resolves the reference at runtime.
| Without Managed Identity | With Managed Identity + Key Vault |
|---|---|
| Connection string visible in Portal | Only a Key Vault reference โ no secret visible |
| Secret in App Settings (plaintext) | Secret lives only in Key Vault |
| Manual rotation required | Automatic rotation supported |
| Credentials in code or config | Zero credentials anywhere in app |
๐ Easy Auth โ Built-in Authentication
Easy Auth is an authentication module built into App Service that runs before the app code handles any request. Zero lines of auth code required.
/.auth/me.| Setting | Recommended Value | Notes |
|---|---|---|
| Identity Provider | Microsoft (Entra ID) | Use your tenant App Registration |
| Unauthenticated requests | HTTP 401 Unauthorized | Not redirect โ APIs should get 401 |
| Token Store | Enabled | Required for on-behalf-of flows |
| Allowed Token Audiences | Your App URI | Validates the aud claim in token |
Microsoft Entra ID, Google, Facebook, GitHub, Apple, Twitter, and any Custom OpenID Connect provider.
โ Checklist โ App Service Security
- Create Private Endpoint (block public access)
- Configure VNet Integration for outbound
- Set WEBSITE_VNET_ROUTE_ALL=1
- Minimum TLS 1.2
- HTTPS Only โ enabled
- Enable System-Assigned Managed Identity
- Store all Secrets in Key Vault (not App Settings)
- Use Key Vault References in App Settings
- Grant least-privilege RBAC role to Managed Identity
- Enable Easy Auth with Entra ID
- Reject Unauthenticated requests (not redirect)
- Configure Allowed Token Audiences
- Enable Defender for App Service
- Configure Diagnostic Logs โ Log Analytics
- Alert on HTTP 4xx/5xx error spikes