Sitecore hardening using Azure App Authentication


With Azure App Authentication it is easy to secure your app with an identity provider. The steps to take are described at the following page: .

For securing certain url paths it is required to set Action to take when request is not authenticated to Allow request (no action).

When you have followed the instructions above, the next step is to create a authorization.json file with the following content:

{ “routes”: [ { “path_prefix”: “/”, “policies”: { “unauthenticated_action”: “AllowAnonymous” } }, { “path_prefix”: “/sitecore/service”, “policies”: { “unauthenticated_action”: “AllowAnonymous” } }, { “path_prefix”: “/sitecore/api”, “policies”: { “unauthenticated_action”: “AllowAnonymous” } }, { “path_prefix”: “/sitecore/client”, “policies”: { “unauthenticated_action”: “AllowAnonymous” } }, { “path_prefix”: “/sitecore”, “policies”: { “unauthenticated_action”: “RedirectToLoginPage” } } ] }

Once you have uploaded the file you can restart the app to activate the authentiction. More information on setting specific access policies to specific url paths can be found here:

After applying the json file and policies you will be asked to authenticate to a identity provider when you try access the path https://YOURWEBSITE/sitecore/ . You will be allowed to all other paths since the unauthenticated_action is set to AllowAnonymous.

So once you have validated your identity you will see the sitecore logins screen. At this stage you can login with your sitecore user credentials. The problem from now on seems, however, that some required headers have been lost.

For example __RequestVerificationToken is not there anymore. I have opened a ticket @sitecore to resolve this issue, since this blocks us from implementing App service authentication just yet. To be continued.