Search services uses a managed identity

Security · Cognitive Search · 2021_06

Configure managed identities to access Azure resources.

Description

Connections to Azure resources is required to use some features including indexing and customer managed-keys. Cognitive Search can use managed identities to authenticate to Azure resource without storing credentials.

Using Azure managed identities have the following benefits:

• You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
• You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
• Managed identities can be used without any additional cost.

Recommendation

Consider configuring a managed identity for each Cognitive Search service. Also consider using managed identities to authenticate to related Azure services.

Examples

Configure with Azure template

To deploy Cognitive Search services that pass this rule:

• Set the identity.type to SystemAssigned.

For example:

Azure Template snippet

{
    "apiVersion": "2020-08-01",
    "name": "[parameters('serviceName')]",
    "location": "[parameters('location')]",
    "type": "Microsoft.Search/searchServices",
    "identity": {
        "type": "SystemAssigned"
    },
    "sku": {
        "name": "[parameters('sku')]"
    },
    "properties": {
        "replicaCount": 3,
        "partitionCount": 1,
        "hostingMode": "default"
    },
    "tags": {},
    "dependsOn": []
}

Links

• Use identity-based authentication
• What are managed identities for Azure resources?
• Set up an indexer connection to a data source using a managed identity
• Indexer access to Azure Storage using the trusted service exception (Azure Cognitive Search)

---

Last update: 2022-10-17

Comments