Description
Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.
Rationaleβ
App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.
Auditβ
From Azure Portalβ
- From Azure Portal open the Portal Menu in the top left.
- Go to
App Services. - Click on each App.
- Under the
Settingsection, Click onIdentity. - Under the
System assignedpane, ensure thatStatusset toOn.
From Azure CLIβ
To check Register with Entra ID feature status for an existing app, run the following command:
az webapp identity show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query principalId
The output should return unique Principal ID.
If no output for the above command then Register with Entra ID is not set.
From PowerShellβ
List the web apps:
Get-AzWebApp
For each web app run the following command:
Get-AzWebapp -ResourceGroupName <app resource group> -Name <app name>
Make sure the Identity setting contains a unique Principal ID.
From Azure Policyβ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: 0da106f2-4ca3-48e8-bc85-c638fe6aea8f - Name:
Function apps should use managed identity - Policy ID: 2b9ad585-36bc-4615-b300-fd4435808332 - Name:
App Service apps should use managed identity
Default Valueβ
By default, Managed service identity via Entra ID is disabled.