It this possible to run an authenticated DAST scan against SPA - single page application (webapp in Azure)?
The application is relying on Azure AD to perform auth-z/auth-n and token retrievel.
The account/user which will be used for scanning does NOT have MFA enabled.
Yes, it is possible to run an authenticated DAST (Dynamic Application Security Testing) scan against a Single Page Application (SPA) that is protected by Azure Active Directory (AD) for authentication and authorization.
However, you will need to take into consideration a few things:
Ensure that the user account you are using for the scan has the necessary permissions to access the application and perform the scan.
You will need to provide the authentication credentials for the user account to the DAST tool so that it can perform the scan as an authenticated user.
You may also need to configure the DAST tool to pass the token obtained from Azure AD during authentication to access the application.
As the user account does not have multi-factor authentication (MFA) enabled, be aware that this may introduce security risks, especially if the account has elevated permissions.
Finally, make sure to review the policies and terms of use of your Azure AD and the SPA to ensure that running an authenticated DAST scan is allowed.
By following these considerations, you should be able to successfully run an authenticated DAST scan against your SPA protected by Azure AD.