Skip to content

Search services uses a managed identity#

Security · Cognitive Search · Rule · 2021_06

Configure managed identities to access Azure resources.

Description#

Connections to Azure resources is required to use some features including indexing and customer managed-keys. Cognitive Search can use managed identities to authenticate to Azure resource without storing credentials.

Using Azure managed identities have the following benefits:

  • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
  • You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
  • Managed identities can be used without any additional cost.

Recommendation#

Consider configuring a managed identity for each Cognitive Search service. Also consider using managed identities to authenticate to related Azure services.

Examples#

Configure with Azure template#

To deploy Cognitive Search services that pass this rule:

  • Set the identity.type to SystemAssigned.

For example:

Azure Template snippet
{
  "type": "Microsoft.Search/searchServices",
  "apiVersion": "2022-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "standard"
  },
  "properties": {
    "replicaCount": 3,
    "partitionCount": 1,
    "hostingMode": "default"
  }
}

Configure with Bicep#

To deploy Cognitive Search services that pass this rule:

  • Set the identity.type to SystemAssigned.

For example:

Azure Bicep snippet
resource search 'Microsoft.Search/searchServices@2022-09-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'standard'
  }
  properties: {
    replicaCount: 3
    partitionCount: 1
    hostingMode: 'default'
  }
}

Last update: 2023-09-10

Comments