Control: 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.
As default, incoming client certificates is set to Ignore.
- Login to Azure Portal and go to
- Click on each App.
Settingssection, click on
- Go to
- Set the option
Client certificate modelocated under
Incoming client certificatesis set to
From Command Line
To set Incoming client certificates value for an existing app:
az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> -- set clientCertEnabled=true
steampipe check azure_compliance.control.cis_v130_9_4
This control uses a named query:appservice_web_app_incoming_client_cert_on