Skip to content

Governance Policies Security Authentication

Joshua Davis edited this page Apr 5, 2026 · 3 revisions

Authentication

Governance policies for Authentication

Domain: security

Patterns

Name Description
Managed identity for service-to-service Use managed identity to avoid storing credentials
Key Vault for external secrets Store third-party API keys or connection strings in Key Vault

Anti-Patterns

Description Instead
Do not embed API keys or passwords in application source code Use managed identity for Azure services or Key Vault for external secrets
Do not assign Owner or Contributor roles at subscription or resource group scope Use the most specific built-in role at the narrowest scope possible

References


Checks (3)

Check Severity Description
WAF-SEC-AUTH-001 Required Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables
WAF-SEC-AUTH-002 Recommended Assign least-privilege RBAC roles for all service principals and user accounts
WAF-SEC-AUTH-003 Recommended Prefer app registrations with scoped permissions over shared API keys for client authentication

WAF-SEC-AUTH-001

Never hardcode credentials, API keys, or secrets in source code, config files, or environment variables

Severity: Required
Rationale: Hardcoded secrets leak through source control, logs, and error messages
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent, biz-analyst

Targets

  • Microsoft.App/containerApps
  • Microsoft.Web/sites
  • Microsoft.ApiManagement/service
  • Microsoft.Sql/servers/databases
  • Microsoft.DocumentDB/databaseAccounts
  • Microsoft.Storage/storageAccounts
  • Microsoft.KeyVault/vaults
  • Microsoft.Cache/redis
  • Microsoft.DBforPostgreSQL/flexibleServers
  • Microsoft.DBforMySQL/flexibleServers
  • Microsoft.ServiceBus/namespaces
  • Microsoft.EventHub/namespaces
  • Microsoft.CognitiveServices/accounts
  • Microsoft.Search/searchServices
  • Microsoft.ContainerRegistry/registries
  • Microsoft.ContainerService/managedClusters

WAF-SEC-AUTH-002

Assign least-privilege RBAC roles for all service principals and user accounts

Severity: Recommended
Rationale: Principle of least privilege limits blast radius of compromised credentials
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst

Targets

  • Microsoft.App/containerApps
  • Microsoft.Web/sites
  • Microsoft.ApiManagement/service
  • Microsoft.Sql/servers/databases
  • Microsoft.DocumentDB/databaseAccounts
  • Microsoft.Storage/storageAccounts
  • Microsoft.KeyVault/vaults
  • Microsoft.Cache/redis
  • Microsoft.DBforPostgreSQL/flexibleServers
  • Microsoft.DBforMySQL/flexibleServers
  • Microsoft.ServiceBus/namespaces
  • Microsoft.EventHub/namespaces
  • Microsoft.CognitiveServices/accounts
  • Microsoft.Search/searchServices
  • Microsoft.ContainerRegistry/registries
  • Microsoft.ContainerService/managedClusters

WAF-SEC-AUTH-003

Prefer app registrations with scoped permissions over shared API keys for client authentication

Severity: Recommended
Rationale: App registrations support scoped permissions, token expiry, and audit logging
Agents: cloud-architect, app-developer, csharp-developer, python-developer, biz-analyst

Targets

  • Microsoft.App/containerApps
  • Microsoft.Web/sites
  • Microsoft.ApiManagement/service
  • Microsoft.Sql/servers/databases
  • Microsoft.DocumentDB/databaseAccounts
  • Microsoft.Storage/storageAccounts
  • Microsoft.KeyVault/vaults
  • Microsoft.Cache/redis
  • Microsoft.ServiceBus/namespaces
  • Microsoft.EventHub/namespaces
  • Microsoft.CognitiveServices/accounts
  • Microsoft.Search/searchServices

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally