Skip to content

Search services uses a managed identity#

Security · AI Search · Rule · 2021_06 · Important

Configure managed identities to access Azure resources.

Description#

AI Search (Previously known as Cognitive Search) may require connection to other Azure resources. Connections to Azure resources are required to use some features including indexing and customer managed-keys. AI Search can use managed identities to authenticate to Azure resources without storing credentials.

Using Azure managed identities have the following benefits:

  • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
  • You can use managed identities to authenticate to any Azure service that supports Entra ID authentication.
  • Managed identities can be used without any additional cost.

Recommendation#

Consider configuring a managed identity for each AI Search service. Also consider using managed identities to authenticate to related Azure services.

Examples#

Configure with Azure template#

To deploy AI Search services that pass this rule:

  • Set the identity.type property to SystemAssigned.

For example:

Azure Template snippet
{
  "type": "Microsoft.Search/searchServices",
  "apiVersion": "2022-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "standard"
  },
  "properties": {
    "replicaCount": 3,
    "partitionCount": 1,
    "hostingMode": "default"
  }
}

Configure with Bicep#

To deploy AI Search Search services that pass this rule:

  • Set the identity.type property to SystemAssigned.

For example:

Azure Bicep snippet
resource search 'Microsoft.Search/searchServices@2022-09-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'standard'
  }
  properties: {
    replicaCount: 3
    partitionCount: 1
    hostingMode: 'default'
  }
}

Comments