Use Managed Identity for Azure AI services accounts

Security · Azure AI · Rule · 2022_09 · Important

Configure managed identities to access Azure resources.

Description

Azure AI services (previously known as Cognitive Services) must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Azure AI can use managed identities.

Using Azure managed identities have the following benefits:

• You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
• You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.
• Managed identities can be used without any additional cost.

Recommendation

Consider configuring a managed identity for each Azure AI services account.

Examples

Configure with Azure template

To deploy accounts that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
  "type": "Microsoft.CognitiveServices/accounts",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "S0"
  },
  "kind": "TextAnalytics",
  "properties": {
    "publicNetworkAccess": "Disabled",
    "networkAcls": {
      "defaultAction": "Deny"
    },
    "disableLocalAuth": true
  }
}

Configure with Bicep

To deploy accounts that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet

resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'S0'
  }
  kind: 'TextAnalytics'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      defaultAction: 'Deny'
    }
    disableLocalAuth: true
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cognitive-services/account:<version>

To use the latest version:

br/public:avm/res/cognitive-services/account:0.8.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Cognitive Services accounts should use a managed identity /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418.

Notes

Configuration of additional Azure resources is not required for all Azure AI services. This rule will run for the following Azure AI services:

• TextAnalytics - Language service.

Links

• SE:05 Identity and access management
• Azure Policy built-in policy definitions for Azure AI services
• IM-1: Use centralized identity and authentication system
• IM-3: Manage application identities securely and automatically
• Azure deployment reference

Comments