diff --git a/devops/azure/chart/templates/deployment.yaml b/devops/azure/chart/templates/deployment.yaml
index e91ce1e02c67acc72b1183660b5bd52c9bc3aae5..88d1cd931a3a5b51b6724669b61d7e6962933476 100644
--- a/devops/azure/chart/templates/deployment.yaml
+++ b/devops/azure/chart/templates/deployment.yaml
@@ -118,3 +118,5 @@ spec:
value: http://entitlements-azure/entitlements/v1
- name: entitlements_service_api_key
value: "OBSOLETE"
+ - name: azure_istioauth_enabled
+ value: "true"
diff --git a/provider/legal-azure/README.md b/provider/legal-azure/README.md
index 9154f0013c4d45c8821c75ef7c3673b6668fdb35..5f4f747f5c3d1371f726679da7c23d575cd75c27 100644
--- a/provider/legal-azure/README.md
+++ b/provider/legal-azure/README.md
@@ -60,6 +60,7 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
| `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-tenant-id` |
| `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` |
| `appinsights_key` | `********` | API Key for App Insights | yes | output of infrastructure deployment |
+| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |
**Required to run integration tests**
diff --git a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
index 1c96f3deff490025c1e2ddc8c8e8575d9ebb2882..cd284dfe01d92b24c5d040c1d90b8297d06975f7 100644
--- a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
+++ b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AADSecurityConfig.java
@@ -15,18 +15,22 @@
package org.opengroup.osdu.legal.azure.security;
import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.parameters.P;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.inject.Inject;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "false", matchIfMissing = false)
public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
+
@Inject
private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
diff --git a/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java
new file mode 100644
index 0000000000000000000000000000000000000000..2de6575c262f49d71fa75ae25a1466e762275b66
--- /dev/null
+++ b/provider/legal-azure/src/main/java/org/opengroup/osdu/legal/azure/security/AzureIstioSecurityConfig.java
@@ -0,0 +1,35 @@
+// Copyright © Microsoft Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.opengroup.osdu.legal.azure.security;
+
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "true", matchIfMissing = true)
+public class AzureIstioSecurityConfig extends WebSecurityConfigurerAdapter {
+
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ http.httpBasic().disable()
+ .csrf().disable(); //AuthN is disabled. AuthN is handled by sidecar proxy
+ }
+}
diff --git a/provider/legal-azure/src/main/resources/application.properties b/provider/legal-azure/src/main/resources/application.properties
index 6744890ff4e6ad7db6ab7973f9ae3d0519cfaf4a..f4835b67e3187e457a1384351083981b4f92a29d 100644
--- a/provider/legal-azure/src/main/resources/application.properties
+++ b/provider/legal-azure/src/main/resources/application.properties
@@ -21,10 +21,14 @@ AUTHORIZE_API_KEY=${entitlements_service_api_key}
LEGAL_HOSTNAME=notused
CRON_JOB_IP=10.0.0.1
-# Azure AD configuration for OpenIDConnect
-azure.activedirectory.session-stateless=true
-azure.activedirectory.client-id=${aad_client_id}
-azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
+# Azure AD configuration for OpenIDConnect, commented below settings to disable AAD AuthN ,
+# Uncomment it In the Istio AUTHN disabled Scenario
+#azure.activedirectory.session-stateless=true
+#azure.activedirectory.client-id=${aad_client_id}
+#azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
+
+# Istio Auth Enabled
+azure.istio.auth.enabled=${azure_istioauth_enabled}
# Azure CosmosDB configuration
azure.cosmosdb.database=${cosmosdb_database}
@@ -49,4 +53,4 @@ spring.application.name=legal-azure
#logging configuration
logging.transaction.enabled=true
-logging.slf4jlogger.enabled=true
\ No newline at end of file
+logging.slf4jlogger.enabled=true