Skip to content

Azure AI account access keys are enabled#

Security · Azure AI · Rule · 2022_09 · Important

Access keys allow depersonalized access to Azure AI using a shared secret.

Description#

To send requests to Azure AI service endpoints (previously known as Cognitive Services), each request must include an authentication header. Azure AI service endpoints supports authentication with keys or access tokens. Using an Entra ID access token instead of a cryptographic key has some additional security benefits.

With Entra ID authentication, an authorized identity is issued an OAuth2 access token issued by Entra ID. Using Entra ID as the identity provider centralizes identity management and auditing.

Once you decide to use Entra ID authentication, you can disable authentication using keys.

Recommendation#

Consider only using Entra ID identities to authenticate requests to Azure AI service accounts. Once configured, disable authentication based on access keys.

Examples#

Configure with Azure template#

To deploy accounts that pass this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.CognitiveServices/accounts",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "S0"
  },
  "kind": "CognitiveServices",
  "properties": {
    "publicNetworkAccess": "Disabled",
    "networkAcls": {
      "defaultAction": "Deny"
    },
    "disableLocalAuth": true
  }
}

Configure with Bicep#

To deploy accounts that pass this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Bicep snippet
resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'S0'
  }
  kind: 'CognitiveServices'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      defaultAction: 'Deny'
    }
    disableLocalAuth: true
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cognitive-services/account:<version>

To use the latest version:

br/public:avm/res/cognitive-services/account:0.9.0

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Comments