Description:

Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.


Rationale:

App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.


Audit:

From Azure Portal

1. From Azure Portal open the Portal Menu in the top left

2. Go to App Services

3. Click on each App

4. Under the Setting section, Click on Identity

5. Under the System assigned pane, ensure that Status set to On


From Azure CLI

To check Register with Azure Active Directory feature status for an existing app, run the following command,

az webapp identity show --resource-group <RESOURCE_GROUP_NAME> --name

<APP_NAME> --query principalId

The output should return unique Principal ID. If no output for the above command then Register with Azure Active Directory is not set.


From PowerShell

List the web apps.

Get-AzWebApp

For each web app run the following command.

Get-AzWebapp -ResourceGroupName <app resource group> -Name <app name>

Make sure the Identity setting contains a unique Principal ID


Remediation:

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com

2. Go to App Services

3. Click on each App

4. Under Setting section, Click on Identity

5. Under the System assigned pane, set Status to On


From Azure CLI

To set Register with Azure Active Directory feature for an existing app, run the following command:

az webapp identity assign --resource-group <RESOURCE_GROUP_NAME> --name

<APP_NAME>


From PowerShell

To register with Azure Active Directory feature for an existing app, run the following command:

Set-AzWebApp -AssignIdentity $True -ResourceGroupName <resource_Group_Name> -

Name <App_Name>


Default Value:

By default, Managed service identity via Azure AD is disabled.


References:

1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorialconnect-msi

2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- identity-management#im-1-use-centralized-identity-and-authentication-system