Ensure that Register with Azure Active Directory is enabled on App Service

Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.

Risk Level: Low
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.IAM.09
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

WebApp should have inner.identityStatus = true

REMEDIATION

From Portal

  1. Go to 'App Services' from Azure Management console and choose your App Service.
  2. Under 'Settings, select 'Identity' on the navigation menu.
  3. On the 'Identity' panel, select 'On' for the status configuration settings.
  4. Click Save.
  5. In the 'Enable system assigned managed identity' box, click Yes to confirm your action.

Note: By default, App Service Identity feature is disabled

From TF
Set the 'type' argument under 'identity' to 'SystemAssigned':

resource 'azurerm_app_service' 'Example_web_app' {
	..
	identity {
		..
		type= 'SystemAssigned'
		..
	}
	..
}

From Command Line
Run

az webapp identity assign --resource-group RESOURCEGROUPNAME --name APPLICATIONSERVICENAME

References

  1. https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation
  2. https://docs.microsoft.com/en-us/cli/azure/webapp/identity?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark