Ensure App Service is registered with an Azure Active Directory account

Error: App Service is not registered with an Azure Active Directory account

Bridgecrew Policy ID: BC_AZR_IAM_1
Checkov Check ID: CKV_AZURE_16
Severity: MEDIUM

App Service is not registered with an Azure Active Directory account

Description

Managed service identity in App Service increases security by eliminating secrets from the app, for example, credentials in the connection strings. App Service provides a highly-scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to an Azure SQL Database and other Azure services.

We recommend you register the App Service with your Azure Active Directory account ensuring the app will connect securely to other Azure services without the need of usernames and passwords.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to App Services.
  3. For each App, click the App.
    a) Navigate to the Setting section.
    b) Click Identity.
    c) Set Status to On.

CLI Command

To set the Register with Azure Active Directory feature for an existing app, use the following command:

az webapp identity assign 
--resource-group <RESOURCE_GROUP_NAME> 
--name <APP_NAME>

Fix - Buildtime

Terraform

  • Resource: azurerm_app_service
  • Field: identity
resource "azurerm_app_service" "example" {
    ...
+    identity {
+        type = "UserAssigned"
+        identity_ids = "12345"
    }
}

Did this page help you?