- Decide on the type of access for your application: public, private, or both.
- Decide on how to authenticate users that need to access your App Service: anonymous, internal corporate users, social accounts, other identity provider, or a mixture of these.
- Decide on whether to use system-assigned or user-assigned managed identities for your App Service when connecting to Microsoft Entra ID-protected backend resources.
- Consider creating custom roles following the principle of least privilege when out-of-box roles require modifications on existing permissions. Utilize App Configuration to share common configuration values between applications, microservices, and serverless applications that are not passwords, secrets, or keys.
- If the App Service requires authentication:
- If access to the entire app service needs to be restricted to authenticated users, disable anonymous access.
- Use the Easy Auth capabilities of App Services, instead of writing your own authentication and authorization code.
- Use separate application registrations for separate slots or environments.
- If the App Service is intended for internal users only, use client certificate authentication for increased security.
- If the App Service is intended for external users, utilize Microsoft Entra ID B2C to authenticate to social accounts and Microsoft Entra ID accounts.
- Use Azure built-in roles to provide least privilege permissions to manage App Service Plans and Websites
- Utilize system-assigned managed identities to securely access Microsoft Entra ID-protected backend resources.
- Ensure that users with access to Production resources in Azure are controlled and limited.
- For automated deployment purposes, setup a service principal that has the minimum required permissions to deploy from the pipeline
- Review and follow the recommendations outlined in the Identity and Access Control section of the Azure security baseline for App Service.
- Review document on how to connect your application with Azure Cache for Redis