Managed Service Identities Disabled
More Info:
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, HIPAA, CISAZURE, CBP, HITRUST, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using the Azure console, please follow these steps:
- Open the Azure portal and navigate to the resource group containing the affected Azure service.
- Click on the affected Azure service, and then click on the “Access control (IAM)” menu option.
- Click on the “Add” button to add a new role assignment.
- In the “Add role assignment” blade, select “Contributor” as the role and then select the “Azure resource” option.
- In the “Select” box, search for the name of the affected Azure service and select it.
- Leave the “Assign access to” field as “Azure AD user, group, or service principal” and then click on the “Select” button.
- In the “Select” box, search for the name of the managed identity that needs to be enabled and select it.
- Click on the “Save” button to save the role assignment.
- Verify that the managed identity is now enabled by checking the “Managed identities” blade of the affected Azure service.
- Repeat this process for any other affected Azure services.
Using CLI
Using CLI
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Azure CLI, you can follow these steps:
-
Open the Azure CLI and log in to your Azure account using the command
az login. -
Check if Managed Service Identity is enabled for your Azure subscription using the command
az account show --query "isIdentityCrmEnabled". If the output isfalse, it means Managed Service Identity is disabled for your subscription. -
To enable Managed Service Identity for your subscription, use the command
az provider register --namespace Microsoft.ManagedIdentity. -
After the registration is complete, you can create a new Managed Service Identity using the command
az identity create --name <identity-name> --resource-group <resource-group-name>. -
Once the Managed Service Identity is created, you can assign it to your Azure resources using the command
az role assignment create --role <role-name> --assignee <identity-client-id> --scope <resource-id>. -
Replace
<identity-name>,<resource-group-name>,<role-name>,<identity-client-id>and<resource-id>with the actual values for your Azure environment. -
Finally, verify that Managed Service Identity is enabled for your subscription and that the identity is assigned to the correct resources using the command
az identity show --name <identity-name> --resource-group <resource-group-name>.
Using Python
Using Python
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Python, follow these steps:These steps will enable managed service identities for all resources in all resource groups in your Azure subscription using Python.
- Import the necessary libraries:
- Set the credentials for your Azure account:
- Create a ResourceManagementClient and an AuthorizationManagementClient:
- Get the list of resource groups in your subscription:
- For each resource group, check if managed service identities are enabled for all resources:
- If managed service identities are not enabled for all resources in a resource group, enable them: