Managed identity#
Security · Front Door · Rule · 2023_09 · Important
Ensure Front Door uses a managed identity to authorize access to Azure resources.
Description#
When configuring a Standard or Premium SKU with a custom domain using bring your own certificate (BYOC) access to a Key Vault is required. Standard and Premium Front Door profiles support two methods for authorizing access to Azure resources:
- Using the Microsoft managed multi-tenant app registration.
- Standard SKU profiles use the client ID
205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
. - Premium SKU profiles use the client ID
d4631ece-daab-479b-be77-ccb713491fc0
.
- Standard SKU profiles use the client ID
- With a system or user assigned managed identity.
The multi-tenant app registration has a number of challenges:
- Only a single client ID is used for each SKU for all Azure Front Door profiles. If multiple Front Door profiles are deployed into a single subscription, it is not possible to restrict access so that each profile has access to it's own Key Vault.
- A Entra ID (Azure AD) Global Administrator of must register the multi-tenant application for each tenant once before it can be used.
Using an managed identity allows access to Key Vault to be granted using RBAC on an individual basis.
Recommendation#
Consider configure a managed identity to allow support for Azure AD authentication.
Examples#
Configure with Azure template#
To deploy Azure Front Door instances that pass this rule:
- Set
identity.type
toSystemAssigned
orUserAssigned
orSystemAssigned,UserAssigned
. - If
identity.type
isUserAssigned
orSystemAssigned,UserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
{
"type": "Microsoft.Cdn/profiles",
"apiVersion": "2022-11-01-preview",
"name": "myFrontDoor",
"location": "global",
"sku": {
"name": "Standard_AzureFrontDoor"
},
"identity": {
"type": "SystemAssigned",
"userAssignedIdentities": {}
}
}
Configure with Bicep#
To deploy Azure Front Door instances that pass this rule:
- Set
identity.type
toSystemAssigned
orUserAssigned
orSystemAssigned,UserAssigned
. - If
identity.type
isUserAssigned
orSystemAssigned,UserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
resource frontDoorProfile 'Microsoft.Cdn/profiles@2022-11-01-preview' = {
name: 'myFrontDoor'
location: 'global'
sku: {
name: 'Standard_AzureFrontDoor'
}
identity: {
type: 'SystemAssigned'
userAssignedIdentities: {}
}
}
Notes#
Currently Azure Front Door only supports authentication using an Entra ID (Azure AD) to Key Vault. To use a managed identity, the Standard or Premium SKU is required. Managed identities are not supported with the Classic SKU.
If you only use Azure Front Door (AFD) managed certificates for custom domains, a managed identity is not required.
Links#
- Use identity-based authentication
- Managed identities for Azure Front Door
- Azure deployment reference