Function app should have client certificate enabled

Maheswararaju P 11 Reputation points
2022-06-09T12:09:48.437+00:00

Hi All,

I am trying to remediate one of the defender for cloud recommendations(Function app should have client certificate enabled). I am curious to know, if anybody has enabled this using custom deployIfNotExists policy and wondering to know is there any business impact occured due to enabling of this setting.

Looking forward for your kind response.

Thank you,
Raj.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
957 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Monalla-MSFT 13,046 Reputation points
    2022-06-13T14:45:47.157+00:00

    @Maheswararaju P - Thanks for reaching out and apologies for the delay in responding to your query.

    It shouldn't have any impact if you enable the custom deployIfNoExists policy.

    And I see that you have raised a similar question in the forum and hence reiterating the response here for broader audience:

    Looks like you need to update the policy to accommodate this condition that the policy should not be applied for consumption hosted Linux function app.

    Please take a look at this portal reference for more details: ms.portal.azure.com

    Its nearly the same policy: policy-reference

    with the name Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'

    Hope this helps. and please feel free to reach out if you have any further questions.

    ------------------------------------------------------------------

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

    0 comments No comments

  2. Maheswararaju P 11 Reputation points
    2022-06-15T17:24:27.85+00:00

    Hi @Monalla-MSFT ,

    Thanks for writing back and my apologies for the late response.

    This policy is working well to identify non-compliant windows function apps.

    {
    "displayName":"Function App should have client certificate enabled",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
    "metadata": {
    "version": "1.0.1",
    "category": "App Service"
    },
    "parameters": {
    "effect": {
    "type": "String",
    "metadata": {
    "displayName": "Effect",
    "description": "Enable or disable the execution of the policy"
    },
    "allowedValues": [
    "DeployIfNotExists",
    "Disabled"
    ],
    "defaultValue": "DeployIfNotExists"
    }
    },
    "policyRule": {
    "if": {
    "allOf": [
    {
    "field": "type",
    "equals": "Microsoft.Web/sites"
    },
    {
    "field": "kind",
    "like": "functionapp"
    }
    ]
    },
    "then": {
    "effect": "[parameters('effect')]",
    "details": {
    "type": "Microsoft.Web/sites",
    "name": "[field('name')]",
    "existenceCondition": {
    "field": "Microsoft.Web/sites/clientCertEnabled",
    "equals": true
    },
    "evaluationDelay": "AfterProvisioningSuccess",
    "roleDefinitionIds": [
    "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
    ],
    "deployment": {
    "properties": {
    "mode": "incremental",
    "parameters": {
    "name": {
    "value": "[field('name')]"
    },
    "location": {
    "value": "[field('location')]"
    }
    },
    "template": {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    "name": {
    "type": "string"
    },
    "location": {
    "type": "string"
    }
    },
    "resources": [
    {
    "name": "[parameters('name')]",
    "type": "Microsoft.Web/sites",
    "location": "[parameters('location')]",
    "apiVersion":"2018-11-01",
    "properties": {
    "clientCertEnabled": true
    }
    }
    ]
    }
    }
    }
    }
    }
    },
    "name":"Enforce-FncApp-ClintCert"
    }

    Secon thing as you said I have tried by creating test linux function app with kind property as functionapp* and app service plan as premium(EP1) and it is working fine to identify non-compliant linux function apps.

    {
    "displayName":"Function App should have client certificate enabled",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
    "metadata": {
    "version": "1.0.1",
    "category": "App Service"
    },
    "parameters": {
    "effect": {
    "type": "String",
    "metadata": {
    "displayName": "Effect",
    "description": "Enable or disable the execution of the policy"
    },
    "allowedValues": [
    "DeployIfNotExists",
    "Disabled"
    ],
    "defaultValue": "DeployIfNotExists"
    }
    },
    "policyRule": {
    "if": {
    "allOf": [
    {
    "field": "type",
    "equals": "Microsoft.Web/sites"
    },
    {
    "field": "kind",
    "like": "functionapp*"
    }
    ]
    },
    "then": {
    "effect": "[parameters('effect')]",
    "details": {
    "type": "Microsoft.Web/sites",
    "name": "[field('name')]",
    "existenceCondition": {
    "field": "Microsoft.Web/sites/clientCertEnabled",
    "equals": true
    },
    "evaluationDelay": "AfterProvisioningSuccess",
    "roleDefinitionIds": [
    "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
    ],
    "deployment": {
    "properties": {
    "mode": "incremental",
    "parameters": {
    "name": {
    "value": "[field('name')]"
    },
    "location": {
    "value": "[field('location')]"
    }
    },
    "template": {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    "name": {
    "type": "string"
    },
    "location": {
    "type": "string"
    }
    },
    "resources": [
    {
    "name": "[parameters('name')]",
    "type": "Microsoft.Web/sites",
    "location": "[parameters('location')]",
    "apiVersion":"2018-11-01",
    "properties": {
    "clientCertEnabled": true
    }
    }
    ]
    }
    }
    }
    }
    }
    },
    "name":"Enforce-FncApp-ClintCert"
    }

    But strnage thing is second one is not able to identify windows function apps although i have given function app kind as functionapp*.. Please correct me if i am wrong or add your inputs if there is any common policy to identify both windows and linux function apps.

    0 comments No comments

  3. Maheswararaju P 11 Reputation points
    2022-06-17T07:32:30.737+00:00

    Hi All,

    I have verified the below code and it is working fine. This policy could able to identify the windows and linux non-compliant function app resources. If need you can use this

    {
    "displayName":"Function App should have client certificate enabled",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.",
    "metadata": {
    "version": "1.0.1",
    "category": "App Service"
    },
    "parameters": {
    "effect": {
    "type": "String",
    "metadata": {
    "displayName": "Effect",
    "description": "Enable or disable the execution of the policy"
    },
    "allowedValues": [
    "DeployIfNotExists",
    "Disabled"
    ],
    "defaultValue": "DeployIfNotExists"
    }
    },
    "policyRule": {
    "if": {
    "allOf": [
    {
    "field": "type",
    "equals": "Microsoft.Web/sites"
    },
    {
    "field": "kind",
    "like": "functionapp*"
    }
    ]
    },
    "then": {
    "effect": "[parameters('effect')]",
    "details": {
    "type": "Microsoft.Web/sites",
    "name": "[field('name')]",
    "existenceCondition": {
    "field": "Microsoft.Web/sites/clientCertEnabled",
    "equals": true
    },
    "evaluationDelay": "AfterProvisioningSuccess",
    "roleDefinitionIds": [
    "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
    ],
    "deployment": {
    "properties": {
    "mode": "incremental",
    "parameters": {
    "name": {
    "value": "[field('name')]"
    },
    "location": {
    "value": "[field('location')]"
    }
    },
    "template": {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    "name": {
    "type": "string"
    },
    "location": {
    "type": "string"
    }
    },
    "resources": [
    {
    "name": "[parameters('name')]",
    "type": "Microsoft.Web/sites",
    "location": "[parameters('location')]",
    "apiVersion":"2018-11-01",
    "properties": {
    "clientCertEnabled": true
    }
    }
    ]
    }
    }
    }
    }
    }
    },
    "name":"Enforce-FncApp-ClintCert"
    }

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.