Profile Applicability:

  • Level 1

Description:

This check ensures that a Managed Identity is used for Azure services that need to interact with other Azure resources. Managed Identity provides a secure and streamlined way to authenticate to Azure services without storing credentials in your code, thereby enhancing security.

Rationale:

Using Managed Identity allows Azure resources, such as Azure Virtual Machines, App Services, and Azure Functions, to authenticate to other Azure services securely. This eliminates the need for manually managing credentials or connection strings, reducing the risk of credential theft or exposure. By enabling Managed Identity, Azure ensures that applications and services have secure, automatic access to other Azure resources.

Impact:

Pros:

  • Reduces the need to manage credentials and secrets manually.

  • Enhances security by eliminating hardcoded secrets and using Azure's built-in identity management.

  • Supports compliance requirements by using Azure Active Directory (Azure AD) for access control.

Cons:

  • Requires proper configuration and role-based access control (RBAC) to ensure that the Managed Identity has appropriate permissions to access resources.

  • May require updates to existing code or configurations to integrate Managed Identity with Azure services.

Default Value:

By default, Managed Identity is not enabled for Azure services. It must be explicitly configured for each resource that requires it.

Pre-requisites:

  • Ensure that the Azure service (e.g., Azure App Service, Virtual Machine, Azure Function) is enabled to use Managed Identity.

  • Ensure that appropriate Azure Active Directory (Azure AD) roles and permissions are granted to the Managed Identity for accessing required Azure services.

Test Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to the Resource (e.g., Azure App Service, Azure Virtual Machine) where you want to check Managed Identity usage.

  3. Under the Settings section, click on Identity.

  4. Verify that System-assigned Managed Identity is set to On. If you're using a User-assigned Managed Identity, ensure that the correct identity is listed.

  5. Under the Access Control (IAM) section, ensure that the Managed Identity has appropriate roles assigned to interact with other Azure resources (e.g., ReaderContributor, or custom roles).

Using Azure CLI:

To check if Managed Identity is enabled for a resource, run the following command:

az webapp identity show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>

Verify that type is set to SystemAssigned or UserAssigned. You can also verify role assignments using:

az role assignment list --assignee <MANAGED_IDENTITY_CLIENT_ID>

Implementation Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to the Resource (e.g., Azure App Service, Azure Function).

  3. Under the Settings section, click on Identity.

  4. Set System-assigned Managed Identity to On or configure a User-assigned Managed Identity if needed.

  5. Under the Access Control (IAM) section, assign the necessary roles (e.g., ReaderContributor) to the Managed Identity to allow access to other Azure resources.

  6. Click Save to apply the changes.

Using Azure CLI:

To enable a System-assigned Managed Identity, run the following command:

az webapp identity assign --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>

To assign a User-assigned Managed Identity, run the following command:

az webapp identity assign --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --identities <USER_ASSIGNED_IDENTITY_ID>

To assign roles to the Managed Identity for accessing other services, run the following command:

az role assignment create --assignee <MANAGED_IDENTITY_CLIENT_ID> --role <ROLE_NAME> --scope <RESOURCE_ID>

Backout Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to the Resource (e.g., Azure App Service, Virtual Machine).

  3. Under the Settings section, click on Identity.

  4. Set System-assigned Managed Identity to Off to disable the Managed Identity.

  5. If using a User-assigned Managed Identity, remove the identity from the User-assigned Managed Identity list.

  6. Click Save to apply the changes.

Using Azure CLI:

To disable System-assigned Managed Identity, run the following command:

az webapp identity remove --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>

To remove a User-assigned Managed Identity, run the following command:

az webapp identity remove --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --identities <USER_ASSIGNED_IDENTITY_ID>

References: