Table of Contents
Which App Service Plan Tiers Support Client Certificate Authentication?
For your AZ-500 exam, it’s essential to know that client certificate authentication is available on the Basic, Standard, Premium, and Isolated App Service Plan tiers. Understand which plans support this feature and how it enhances web app security.
Question
You can bind client certificates to which App Service Plan tiers?
A. Isolated only
B. Premium only
C. Standard or Premium
D. Basic, Standard, Premium, or Isolated
Answer
D. Basic, Standard, Premium, or Isolated
Explanation
The correct answer is D. Client certificate authentication is supported on the Basic, Standard, Premium, and Isolated App Service Plan tiers, but it is not available on the Free or Shared tiers.
App Service supports client certificates on Basic, Standard, Premium, or Isolated tiers.
Client Certificate Authentication (mTLS)
Client certificate authentication, also known as mutual TLS (mTLS), is a security feature where both the client and the server present certificates to prove their identities to each other. In a standard TLS connection, only the server presents a certificate. With mTLS, your App Service web app can require connecting clients to present a valid certificate, providing a much stronger authentication mechanism than passwords or tokens alone.
App Service Plan Tier Support
The availability of this feature is directly related to the underlying infrastructure provided by each App Service Plan tier.
- Supported Tiers (Basic, Standard, Premium, Isolated): These tiers provide dedicated compute resources (virtual machine instances) for your applications. This dedicated infrastructure allows for the configuration of advanced networking features like client certificate authentication at the front-end load balancer that serves your app.
- Unsupported Tiers (Free, Shared): These tiers run on a shared, multi-tenant infrastructure where resources are used by many different customers. The networking configuration is standardized and cannot be customized on a per-app basis to require client certificates. Therefore, this feature is disabled on the Free and Shared tiers.
Configuration in App Service
Enabling client certificate authentication is a straightforward process for supported tiers.
- In the Azure portal, navigate to your web app’s configuration settings.
- Set the “Client certificate mode” (clientCertEnabled property) to Require.
- Once enabled, the App Service front end will request a client certificate during the TLS handshake.
- If a client provides a certificate, App Service forwards it to your application code via the X-ARR-ClientCert request header.
It is then the responsibility of your application code to inspect this certificate’s thumbprint, issuer, and other properties to validate the client’s identity and make an authorization decision.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.