App Service is not registered with an Azure Active Directory account

ID

app_service_identity

Severity

low

Vendor

Azure

Resource

App Service

Tags

reachable

Description

App Service should register with Azure Active Directory.

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.

Some benefits are:

  • You don’t need to manage credentials. Credentials aren’t even accessible to you.

  • You can use managed identities to authenticate to any resource that supports Azure AD authentication, including your own applications.

  • Managed identities can be used at no extra cost.

See Azure Managed Identities.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "kind": "app"
    }
  ]
}
1 App Service does not use identity SystemAssigned / UserAssigned.

Terraform

resource "azurerm_windows_web_app" "pass" { # FLAW (1)
  name                = "example"
  # ... more configuration, but no identity block
}
1 App Service does not use identity SystemAssigned / UserAssigned.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "kind": "app",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "httpsOnly": true
      }
    }
  ]
}
1 App Service uses identity 'SystemAssigned'.

Terraform

resource "azurerm_windows_web_app" "pass" {
  name                = "example"
  # ... more configuration

  identity { # FIXED
    type = "SystemAssigned"
  }
}

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

  • Navigate to App Services, and for each App, click App.

    • Navigate to App Services and for each app:

    • Navigate to the Setting section.

    • Click Identity.

    • Set Status to On.

CLI Command

  • To set the Register with Azure Active Directory feature for an existing app, use the following command:

$ az webapp identity assign
--resource-group <resource group name>
--name <app name>

See Assign managed identity to the web app.