Audit Azure App Service in your tenant

There are several ways to extract information of Azure App Service resources in your environment. You can use Resource Graph Explorer, Azure CLI, Azure PowerShell or Azure REST API. Depending on the information you would like to extract, the tool may vary.

This article simply provides you some notes around using PowerShell with AzureRm module to achieve your goal.

Azure PowerShell AzureRm module will be deprecated in the future. Microsoft recommends you to switch over to Az module. (


This script has been tested successfully with the following modules:


What exactly are you going to need from your Azure App Service resources from security posture perspective? Below are list of things you would need to know:

  • Common information: resource group, location, web app name, state, subscription name (in case you’d like to extract info across all subscriptions)
  • App Service Plan: not all plans support backup and SSL so having this info helps you determine whether you want to upgrade plan.
  • HttpsOnly: to verify if your web app enables HttpsOnly. It should be always Https.
  • minTlsVersion: to verify if your web app is using non-compliant/out-of-date TLS version
  • ftpsState: to verify if your web app is allowing ftps (FTP-SSL) instead of non-secure FTP.
  • Framework version: .NET framework, PHP, Python, Node to verify if your web app hosted in a server farm is using vulnerable version.


All of the information above cannot be extracted by one cmdlet like Azure-RmWebApp . For example to get App Service Plan info you need Get-AzureRmAppServicePlan .

For configuration like minTlsVersion there is a trick here. If you read SiteConfig property you will get nothing. See the sample below:

$webAppName = "azsec"
$webAppRg = "azsec-web-rg"
$webApp = Get-AzureRmWebApp -Name $webAppName -ResourceGroupName $webAppRg

The result of this code snippet is lacking many info such as MinTlsVersion or FtpsState.

ManagedServiceIdentityId     :
XManagedServiceIdentityId    :
IpSecurityRestrictions       :
Http20Enabled                :
MinTlsVersion                :
FtpsState                    :
ReservedInstanceCount        :

The real reason is that configuration is not actually stored in this property. It is stored in another resource type named Microsoft.Web/sites/config. Take a look at the following code snippet

$webAppName = "azsec"
$webAppRg = "azsec-web-rg"
$webApp = Get-AzureRmWebApp -Name $webAppName -ResourceGroupName $webAppRg

$config = Get-AzureRmResource -ResourceGroupName $webApp.ResourceGroup `
                               -ResourceType "Microsoft.Web/sites/config" `
                               -ResourceName "$($webApp.Name)/web" `
                               -apiVersion 2016-08-01

You do need to specify API version

The result gives you information you need.

http20Enabled                          : False
minTlsVersion                          : 1.2
ftpsState                              : AllAllowed
reservedInstanceCount                  : 0
preWarmedInstanceCount                 :
healthCheckPath                        :
fileChangeAuditEnabled                 : False
functionsRuntimeScaleMonitoringEnabled : False

If you need more info, simply read $config.Properties.{config_name}


You can find the script from this link


This entry was posted in Secure Development and tagged , , . Bookmark the permalink.

2 Responses to Audit Azure App Service in your tenant

  1. Pingback: Cannot use the SKU Basic with File Change Audit for site »

  2. mac says:

    can you point a script that list all az function apps in all sub with installed extension and version of the extension?

Leave a Reply

Your email address will not be published.