Azure App Service Web App Doesn't Have A Managed Service Identity

Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure App Service Web app doesn't have a Managed Service Identity.
JSON Query:
$.resource.*.azurerm_app_service[*].*[*].identity anyNull
Recommendation:
Recommended solution for making sure App Service Web app have Managed Service Identity.
It is recommended that Azure App Service Web app have Managed Service Identity. Please make sure your template have "identity" block defined.
For example:
"azurerm_app_service": [ { "<app_service_name>": [ { "app_service_plan_id": "${azurerm_app_service_plan.example.id}", "identity": [ { "type": "SystemAssigned" } ] } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Navigate to App Services.
  3. Click on the reported App.
  4. Under Setting section, Click on 'Identity'.
  5. Ensure that 'Status' is set to 'On'.
Remediation CLI Command:
az webapp identity assign --resource-group ${resourceGroup} --name ${resourceName}
CLI Command Description:
This CLI command requires 'Microsoft.Web/sites/{app_name}/config/*' permission. Successful execution sets managed service identity in App Service, that makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings.

Compliance

There are 3 standards that are applicable to this policy:
  • PIPEDA
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You