App Service web apps should have ‘Incoming client certificates’ enabled


Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.

Remediation Steps

Azure Portal

  • Navigate to App Services.

  • Select your App Service.

  • In the left navigation, select Configuration.

  • Select General settings.

  • In Client certificate mode, select Require and click Save.

Azure CLI

  • To enable incoming client certificates:

az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>


Example Configuration

resource "azurerm_app_service" "example" {
  client_cert_enabled = true

  # other required fields here