Ensure App Service is registered with an Azure Active Directory account
Error: App Service is not registered with an Azure Active Directory account
Bridgecrew Policy ID: BC_AZR_IAM_1
Checkov Check ID: CKV_AZURE_16
Severity: MEDIUM
App Service is not registered with an Azure Active Directory account
Description
Managed service identity in App Service increases security by eliminating secrets from the app, for example, credentials in the connection strings. App Service provides a highly-scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to an Azure SQL Database and other Azure services.
We recommend you register the App Service with your Azure Active Directory account ensuring the app will connect securely to other Azure services without the need of usernames and passwords.
Fix - Runtime
Azure Portal
To change the policy using the Azure Portal, follow these steps:
- Log in to the Azure Portal at https://portal.azure.com.
- Navigate to App Services.
- For each App, click the App.
a) Navigate to the Setting section.
b) Click Identity.
c) Set Status to On.
CLI Command
To set the Register with Azure Active Directory feature for an existing app, use the following command:
az webapp identity assign
--resource-group <RESOURCE_GROUP_NAME>
--name <APP_NAME>
Fix - Buildtime
Terraform
- Resource: azurerm_app_service
- Field: identity
resource "azurerm_app_service" "example" {
...
+ identity {
+ type = "UserAssigned"
+ identity_ids = "12345"
}
}
Updated 10 months ago