Azure-AppService-Identity-Enabled

Severity: Medium

Description: This control ensures that managed identities are used in web apps. When the system-assigned managed identity is enabled, an identity is created in Azure AD that is tied to the lifecycle of that service instance. Managed identity is not enabled by default when a new app is created using the command-line tool or Azure Portal console, it's recommended that the app is associated with at least one managed identity.

Remediation Steps:

Perform following to update App Service configuration:

  1. Login to Azure Portal using https://portal.azure.com.

  2. Go to App Services.

  3. Click the web app to be remediated.

  4. In the left menu, under the Settings section, click the Identity blade.

  5. Follow the below steps to add at least one managed identity to the web app. Either a system-assigned identity, or a user-assigned identity, or both can be added.

  6. Steps to add a system-assigned managed identity:

    • In the System assigned tab, switch Status to On.

    • Click Save.

  7. Steps to add a user-assigned managed identity:

    • In the User assigned tab, click Add.

    • Search for existing managed identities created earlier and select the appropriate one.

    • Click Add.

    • Click Save.

    • If there are no existing managed identities, follow the below steps to create one:

      • Navigate to Managed Identities.

      • Click Add.

      • Select the resource group and region.

      • Enter a name for the new managed identity.

      • Add tags as appropriate.

      • Click on Review and Create.

      • After the new managed identity is created, follow the steps in bullet (7).

Important:

  • A user-assigned managed identity can be created, which can be assigned to one or more instances of an Azure service

Reference:

  • What are managed identities for Azure resources?

  • Use of managed identity in web apps

Blue Hexagon Proprietary