App Service Default Configuration Leaves Gaps

Azure App Service hosts web applications, REST APIs, and mobile backends on a fully managed platform. Out of the box, it provides HTTPS support, platform patching, and basic DDoS protection. But the default configuration exposes the SCM deployment site publicly, accepts connections on older TLS versions, leaves authentication to the application code, and provides no network isolation. Hardening App Service closes these gaps by locking down network access, enforcing strong authentication, securing secrets, and enabling threat detection.

Threat Landscape and Attack Surface

Hardening Azure App Service requires understanding the threat landscape specific to this service. Azure services are attractive targets because they often store, process, or transmit sensitive data and provide control-plane access to cloud infrastructure. Attackers probe for misconfigured services using automated scanners that continuously sweep Azure IP ranges for exposed endpoints, weak authentication, and default configurations.

The attack surface for Azure App Service includes several dimensions. The network perimeter determines who can reach the service endpoints. The identity and access layer controls what authenticated principals can do. The data plane governs how data is protected at rest and in transit. The management plane controls who can modify the service configuration itself. A comprehensive hardening strategy addresses all four dimensions because a weakness in any single layer can be exploited to bypass the controls in other layers.

Microsoft’s shared responsibility model means that while Azure secures the physical infrastructure, network fabric, and hypervisor, you are responsible for configuring the service securely. Default configurations prioritize ease of setup over security. Every Azure service ships with settings that must be tightened for production use, and this guide walks through the critical configurations that should be changed from their defaults.

The MITRE ATT&CK framework for cloud environments provides a structured taxonomy of attack techniques that adversaries use against Azure services. Common techniques relevant to Azure App Service include initial access through exposed credentials or misconfigured endpoints, lateral movement through overly permissive RBAC assignments, and data exfiltration through unmonitored data plane operations. Each hardening control in this guide maps to one or more of these attack techniques.

Compliance and Regulatory Context

Security hardening is not just a technical exercise. It is a compliance requirement for virtually every regulatory framework that applies to cloud workloads. SOC 2 Type II requires evidence of security controls for cloud services. PCI DSS mandates network segmentation and encryption for payment data. HIPAA requires access controls and audit logging for health information. ISO 27001 demands a systematic approach to information security management. FedRAMP requires specific configurations for government workloads.

Azure Policy and Microsoft Defender for Cloud provide built-in compliance assessments against these frameworks. After applying the hardening configurations in this guide, run a compliance scan to verify your security posture against your applicable regulatory standards. Address any remaining findings to achieve and maintain compliance. Export compliance reports on a scheduled basis to satisfy audit requirements and demonstrate continuous adherence.

The Microsoft cloud security benchmark provides a comprehensive set of security controls mapped to common regulatory frameworks. Use this benchmark as a checklist to verify that your hardening effort covers all required areas. Each control includes Azure-specific implementation guidance and links to the relevant Azure service documentation.

Network Security

Private Endpoints

Private endpoints assign a private IP from your VNet to the App Service, making it accessible only from your private network. This is the strongest inbound network control available:

# Create private endpoint for App Service
az network private-endpoint create \
  --name pe-webapp-prod \
  --resource-group rg-networking \
  --vnet-name vnet-hub \
  --subnet snet-private-endpoints \
  --private-connection-resource-id "/subscriptions/{subId}/resourceGroups/rg-apps/providers/Microsoft.Web/sites/webapp-prod" \
  --group-id sites \
  --connection-name webapp-pe-connection

# Configure private DNS zone for name resolution
az network private-dns zone create --resource-group rg-networking --name privatelink.azurewebsites.net
az network private-dns link vnet create --resource-group rg-networking \
  --zone-name privatelink.azurewebsites.net \
  --name link-vnet-hub --virtual-network vnet-hub --registration-enabled false

Access Restrictions

If private endpoints are not feasible, use access restrictions to limit inbound traffic by IP address, VNet subnet, or service tag:

# Allow traffic only from specific VNet subnet
az webapp config access-restriction add \
  --resource-group rg-apps --name webapp-prod \
  --priority 100 --action Allow \
  --vnet-name vnet-hub --subnet snet-frontend

# Allow traffic from Azure Front Door only
az webapp config access-restriction add \
  --resource-group rg-apps --name webapp-prod \
  --priority 200 --action Allow \
  --service-tag AzureFrontDoor.Backend \
  --http-header x-azure-fdid=your-front-door-id

# Deny all other traffic (implicit deny when rules exist)

# Restrict SCM site separately
az webapp config access-restriction add \
  --resource-group rg-apps --name webapp-prod \
  --priority 100 --action Allow \
  --ip-address 10.0.0.0/24 --scm-site true

Always restrict the SCM (deployment) site separately. By default, the SCM site inherits the main site’s access restrictions, but you can configure independent rules. The SCM site hosts Kudu, deployment endpoints, and diagnostic consoles — it should be more restricted than the main site.

VNet Integration (Outbound)

# Enable VNet integration for outbound traffic
az webapp vnet-integration add \
  --resource-group rg-apps --name webapp-prod \
  --vnet vnet-hub --subnet snet-app-integration

# Route all outbound traffic through the VNet
az webapp config appsettings set \
  --resource-group rg-apps --name webapp-prod \
  --settings WEBSITE_VNET_ROUTE_ALL=1

VNet integration controls outbound traffic. With WEBSITE_VNET_ROUTE_ALL=1, all egress (including to Azure services) routes through the VNet, enabling NSG and firewall control over outbound connections.

Authentication and Authorization

Built-In Authentication (Easy Auth)

Enable platform-level authentication without modifying application code:

# Enable Microsoft Entra ID authentication
az webapp auth microsoft update \
  --resource-group rg-apps --name webapp-prod \
  --client-id "app-registration-client-id" \
  --issuer "https://login.microsoftonline.com/{tenantId}/v2.0" \
  --allowed-audiences "api://webapp-prod"

# Require authentication for all requests
az webapp auth update \
  --resource-group rg-apps --name webapp-prod \
  --unauthenticated-client-action RedirectToLoginPage \
  --enabled true

Set unauthenticated-client-action to RedirectToLoginPage for web apps or Return401 for APIs. This ensures every request is authenticated at the platform level before reaching your application code.

Managed Identity

# Enable system-assigned managed identity
az webapp identity assign --resource-group rg-apps --name webapp-prod

# Use managed identity to access Key Vault, SQL, Storage without credentials
az keyvault set-policy --name kv-prod \
  --object-id $(az webapp identity show --resource-group rg-apps --name webapp-prod --query principalId -o tsv) \
  --secret-permissions get list

TLS/SSL Configuration

# Enforce minimum TLS 1.2
az webapp config set --resource-group rg-apps --name webapp-prod --min-tls-version 1.2

# Enable HTTPS Only (redirect HTTP to HTTPS)
az webapp update --resource-group rg-apps --name webapp-prod --https-only true

# Require client certificates (mTLS)
az webapp update --resource-group rg-apps --name webapp-prod --client-cert-enabled true \
  --client-cert-mode Required

Set --client-cert-mode Required for APIs that need mutual TLS. Use Optional if only some endpoints require client certificates and your application handles the validation logic.

Secrets Management

Key Vault References

Never store secrets in app settings directly. Use Key Vault references to pull secrets at runtime:

# Set app setting as Key Vault reference
az webapp config appsettings set \
  --resource-group rg-apps --name webapp-prod \
  --settings "DatabasePassword=@Microsoft.KeyVault(VaultName=kv-prod;SecretName=db-password)"

Key Vault references require the app’s managed identity to have Get permission on Key Vault secrets. The secret is resolved at runtime — the app setting value in the portal shows the reference syntax, not the secret value. Secret rotation in Key Vault is automatically picked up without app restart.

Connection Strings

Use connection strings with managed identity authentication instead of embedded credentials:

# Use managed identity for SQL connection (no password)
az webapp config connection-string set \
  --resource-group rg-apps --name webapp-prod --connection-string-type SQLAzure \
  --settings "DefaultConnection=Server=sql-prod.database.windows.net;Database=appdb;Authentication=Active Directory Managed Identity"

Identity and Access Management Deep Dive

Identity is the primary security perimeter in cloud environments. For Azure App Service, implement a robust identity and access management strategy that follows the principle of least privilege.

Managed Identities: Use system-assigned or user-assigned managed identities for service-to-service authentication. Managed identities eliminate the need for stored credentials (connection strings, API keys, or service principal secrets) that can be leaked, stolen, or forgotten in configuration files. Azure automatically rotates the underlying certificates, removing the operational burden of credential rotation.

Custom RBAC Roles: When built-in roles grant more permissions than required, create custom roles that include only the specific actions needed. For example, if a monitoring service only needs to read metrics and logs from Azure App Service, create a custom role with only the Microsoft.Insights/metrics/read and Microsoft.Insights/logs/read actions rather than assigning the broader Reader or Contributor roles.

Conditional Access: For human administrators accessing Azure App Service through the portal or CLI, enforce Conditional Access policies that require multi-factor authentication, compliant devices, and approved locations. Set session lifetime limits so that administrative sessions expire after a reasonable period, forcing re-authentication.

Just-In-Time Access: Use Azure AD Privileged Identity Management (PIM) to provide time-limited, approval-required elevation for administrative actions. Instead of permanently assigning Contributor or Owner roles, require administrators to activate their role assignment for a specific duration with a business justification. This reduces the window of exposure if an administrator’s account is compromised.

Service Principal Hygiene: If managed identities cannot be used (for example, for external services or CI/CD pipelines), use certificate-based authentication for service principals rather than client secrets. Certificates are harder to accidentally expose than text secrets, and Azure Key Vault can automate their rotation. Set short expiration periods for any client secrets and monitor for secrets that are approaching expiration.

Runtime Security

# Disable remote debugging
az webapp config set --resource-group rg-apps --name webapp-prod --remote-debugging-enabled false

# Disable FTP access
az webapp config set --resource-group rg-apps --name webapp-prod --ftps-state Disabled

# Use latest runtime version
az webapp config set --resource-group rg-apps --name webapp-prod --net-framework-version v8.0

# Enable HTTP/2
az webapp config set --resource-group rg-apps --name webapp-prod --http20-enabled true

# Set platform to 64-bit
az webapp config set --resource-group rg-apps --name webapp-prod --use-32bit-worker-process false

Disable FTP entirely — use deployment slots, GitHub Actions, or Azure DevOps for deployments. FTP transmits credentials in cleartext even over FTPS and provides an unnecessary attack surface.

CORS Hardening

# Configure CORS with specific origins only
az webapp cors add --resource-group rg-apps --name webapp-prod \
  --allowed-origins https://app.contoso.com https://portal.contoso.com

# Remove wildcard if present
az webapp cors remove --resource-group rg-apps --name webapp-prod --allowed-origins '*'

Security Monitoring and Threat Detection

Hardening configurations are only effective if you can detect when they are bypassed, misconfigured, or degraded. Implement comprehensive security monitoring for Azure App Service that covers authentication events, authorization decisions, configuration changes, and data access patterns.

Enable Microsoft Defender for Cloud and activate the relevant protection plan for this service type. Defender provides threat detection powered by Microsoft’s global threat intelligence, behavioral analytics that identify suspicious patterns, and just-in-time alerts when potential security incidents are detected. Review and triage Defender alerts daily, and integrate them into your security incident response workflow.

Configure Microsoft Sentinel to ingest logs from Azure App Service and apply analytics rules that detect attack indicators. Common detection scenarios include brute force authentication attempts, access from unusual geographic locations, privilege escalation through role assignment changes, and data exfiltration through unusual data transfer patterns. Create custom analytics rules for scenarios specific to your environment, such as access outside of maintenance windows or modifications by unauthorized automation accounts.

Implement Azure Policy assignments that continuously monitor your resources for configuration drift from your hardened baseline. Use the audit effect to detect non-compliant resources and the deny effect to prevent the creation of resources that do not meet your security standards. Review policy compliance reports weekly and remediate any drift immediately, as configuration changes that weaken security controls may indicate either accidental misconfiguration or deliberate tampering.

Conduct tabletop exercises that simulate security incidents involving Azure App Service. Walk through scenarios such as compromised credentials, data breach notification, ransomware attack, and insider threat. These exercises test your team’s ability to detect, contain, and recover from security incidents using the hardening controls and monitoring capabilities you have implemented. Document lessons learned and improve your security controls based on the gaps identified during the exercise.

Deployment Security

Deployment Slots

Use deployment slots to validate changes before they reach production. The staging slot can have different access restrictions (e.g., internal-only access for testing) while production remains locked down.

Disable SCM Basic Auth

# Disable basic auth on SCM site (enforce AAD auth)
az resource update --resource-group rg-apps \
  --name "webapp-prod/scm" \
  --resource-type "Microsoft.Web/sites/basicPublishingCredentialsPolicies" \
  --set properties.allow=false

# Disable basic auth on FTP
az resource update --resource-group rg-apps \
  --name "webapp-prod/ftp" \
  --resource-type "Microsoft.Web/sites/basicPublishingCredentialsPolicies" \
  --set properties.allow=false

Disabling basic authentication on the SCM site forces all deployment operations to use Azure AD authentication, eliminating the risk of stolen deployment credentials.

Monitoring and Threat Detection

# Enable diagnostic logging
az webapp log config --resource-group rg-apps --name webapp-prod \
  --application-logging filesystem --level warning \
  --web-server-logging filesystem --detailed-error-messages true

# Send logs to Log Analytics
az monitor diagnostic-settings create \
  --name webapp-diagnostics \
  --resource "/subscriptions/{subId}/resourceGroups/rg-apps/providers/Microsoft.Web/sites/webapp-prod" \
  --workspace "/subscriptions/{subId}/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/law-prod" \
  --logs '[{"category":"AppServiceHTTPLogs","enabled":true},{"category":"AppServiceAuditLogs","enabled":true},{"category":"AppServicePlatformLogs","enabled":true}]'

Defender for App Service

Microsoft Defender for App Service provides threat detection for web applications including:

• Detection of known attack patterns (path traversal, scanner fingerprints)
• Dangling DNS detection (subdomain takeover risk)
• Anomalous request patterns suggesting reconnaissance or exploitation
• Communication with known malicious IPs

Enable from Defender for Cloud → Environment settings → select subscription → enable App Service plan.

Defense in Depth Strategy

No single security control is sufficient. Apply a defense-in-depth strategy that layers multiple controls so that the failure of any single layer does not expose the service to attack. For Azure App Service, this means combining network isolation, identity verification, encryption, monitoring, and incident response capabilities.

At the network layer, restrict access to only the networks that legitimately need to reach the service. Use Private Endpoints to eliminate public internet exposure entirely. Where public access is required, use IP allowlists, service tags, and Web Application Firewall (WAF) rules to limit the attack surface. Configure network security groups (NSGs) with deny-by-default rules and explicit allow rules only for required traffic flows.

At the identity layer, enforce least-privilege access using Azure RBAC with custom roles when built-in roles are too broad. Use Managed Identities for service-to-service authentication to eliminate stored credentials. Enable Conditional Access policies to require multi-factor authentication and compliant devices for administrative access.

At the data layer, enable encryption at rest using customer-managed keys (CMK) in Azure Key Vault when the default Microsoft-managed keys do not meet your compliance requirements. Enforce TLS 1.2 or higher for data in transit. Enable purge protection on any service that supports soft delete to prevent malicious or accidental data destruction.

At the monitoring layer, enable diagnostic logging and route logs to a centralized Log Analytics workspace. Configure Microsoft Sentinel analytics rules to detect suspicious access patterns, privilege escalation attempts, and data exfiltration indicators. Set up automated response playbooks that can isolate compromised resources without human intervention during off-hours.

Continuous Security Assessment

Security hardening is not a one-time activity. Azure services evolve continuously, introducing new features, deprecating old configurations, and changing default behaviors. Schedule quarterly security reviews to reassess your hardening posture against the latest Microsoft security baselines.

Use Microsoft Defender for Cloud’s Secure Score as a quantitative measure of your security posture. Track your score over time and investigate any score decreases, which may indicate configuration drift or new recommendations from updated security baselines. Set a target Secure Score and hold teams accountable for maintaining it.

Subscribe to Azure update announcements and security advisories to stay informed about changes that affect your security controls. When Microsoft introduces a new security feature or changes a default behavior, assess the impact on your environment and update your hardening configuration accordingly. Automate this assessment where possible using Azure Policy to continuously evaluate your resources against your security standards.

Conduct periodic penetration testing against your Azure environment. Azure’s penetration testing rules of engagement allow testing without prior notification to Microsoft for most services. Engage a qualified security testing firm to assess your Azure App Service deployment using the same techniques that real attackers would employ. The findings from these tests often reveal gaps that automated compliance scans miss.

Hardening Checklist

1. Network: Private endpoints or access restrictions on both main and SCM sites
2. VNet integration: Route all outbound through VNet with WEBSITE_VNET_ROUTE_ALL=1
3. Authentication: Enable built-in auth; disable anonymous access
4. TLS: Minimum TLS 1.2; HTTPS only; consider mTLS for APIs
5. Secrets: Key Vault references for all secrets; managed identity for service connections
6. FTP/Debug: Disable FTP and remote debugging
7. SCM: Disable basic auth on SCM and FTP publishing credentials
8. CORS: Explicit origins only; no wildcards
9. Runtime: Latest framework version; 64-bit; HTTP/2
10. Monitoring: Diagnostic logs to Log Analytics; Defender for App Service enabled

For more details, refer to the official documentation: App Service overview.