App Service apps uses a managed identity

Security · App Service · Rule · 2020_12 · Important

Configure managed identities to access Azure resources.

Description

Azure App Service apps must authenticate to Azure resources such as Azure SQL Databases. App Service can use managed identities to authenticate to Azure resource without storing credentials.

Using Azure managed identities have the following benefits:

• You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
• You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
• Managed identities can be used without any additional cost.

Recommendation

Consider configuring a managed identity for each App Service app. Also consider using managed identities to authenticate to related Azure services.

Examples

Configure with Azure template

To deploy App Services that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
    "type": "Microsoft.Web/sites",
    "apiVersion": "2021-02-01",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "SystemAssigned"
    },
    "kind": "web",
    "properties": {
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
        "httpsOnly": true,
        "siteConfig": {
            "alwaysOn": true,
            "minTlsVersion": "1.2",
            "ftpsState": "FtpsOnly",
            "remoteDebuggingEnabled": false,
            "http20Enabled": true
        }
    },
    "tags": "[parameters('tags')]",
    "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
    ]
}

Configure with Bicep

To deploy App Services that pass this rule:

• Set the identity.type to SystemAssigned or UserAssigned.
• If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet

resource webApp 'Microsoft.Web/sites@2021-02-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  kind: 'web'
  properties: {
    serverFarmId: plan.id
    httpsOnly: true
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'FtpsOnly'
      remoteDebuggingEnabled: false
      http20Enabled: true
    }
  }
  tags: tags
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/web/site:<version>

To use the latest version:

br/public:avm/res/web/site:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Links

• SE:05 Identity and access management
• What are managed identities for Azure resources?
• Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
• How to use managed identities for App Service and Azure Functions
• Azure deployment reference

Comments