More Info:

Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, HIPAA, CISAZURE, CBP, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using the Azure console, please follow these steps:
  1. Open the Azure portal and navigate to the resource group containing the affected Azure service.
  2. Click on the affected Azure service, and then click on the “Access control (IAM)” menu option.
  3. Click on the “Add” button to add a new role assignment.
  4. In the “Add role assignment” blade, select “Contributor” as the role and then select the “Azure resource” option.
  5. In the “Select” box, search for the name of the affected Azure service and select it.
  6. Leave the “Assign access to” field as “Azure AD user, group, or service principal” and then click on the “Select” button.
  7. In the “Select” box, search for the name of the managed identity that needs to be enabled and select it.
  8. Click on the “Save” button to save the role assignment.
  9. Verify that the managed identity is now enabled by checking the “Managed identities” blade of the affected Azure service.
  10. Repeat this process for any other affected Azure services.
By following these steps, you can remediate the “Managed Service Identities Disabled” misconfiguration in Azure using the Azure console.

To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Azure CLI, you can follow these steps:
  1. Open the Azure CLI and log in to your Azure account using the command az login.
  2. Check if Managed Service Identity is enabled for your Azure subscription using the command az account show --query "isIdentityCrmEnabled". If the output is false, it means Managed Service Identity is disabled for your subscription.
  3. To enable Managed Service Identity for your subscription, use the command az provider register --namespace Microsoft.ManagedIdentity.
  4. After the registration is complete, you can create a new Managed Service Identity using the command az identity create --name <identity-name> --resource-group <resource-group-name>.
  5. Once the Managed Service Identity is created, you can assign it to your Azure resources using the command az role assignment create --role <role-name> --assignee <identity-client-id> --scope <resource-id>.
  6. Replace <identity-name>, <resource-group-name>, <role-name>, <identity-client-id> and <resource-id> with the actual values for your Azure environment.
  7. Finally, verify that Managed Service Identity is enabled for your subscription and that the identity is assigned to the correct resources using the command az identity show --name <identity-name> --resource-group <resource-group-name>.
By following these steps, you should be able to remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Azure CLI.
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Python, follow these steps:
  1. Import the necessary libraries:
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.common.credentials import ServicePrincipalCredentials
  1. Set the credentials for your Azure account:
subscription_id = 'your-subscription-id'
tenant_id = 'your-tenant-id'
client_id = 'your-client-id'
client_secret = 'your-client-secret'

credentials = ServicePrincipalCredentials(
    client_id=client_id,
    secret=client_secret,
    tenant=tenant_id
)
  1. Create a ResourceManagementClient and an AuthorizationManagementClient:
resource_client = ResourceManagementClient(credentials, subscription_id)
auth_client = AuthorizationManagementClient(credentials, subscription_id)
  1. Get the list of resource groups in your subscription:
resource_groups = resource_client.resource_groups.list()
  1. For each resource group, check if managed service identities are enabled for all resources:
for rg in resource_groups:
    rg_name = rg.name
    rg_id = rg.id

    # Check if managed service identities are enabled for all resources in the resource group
    permissions = auth_client.permissions.list_by_resource_group(rg_name)

    for perm in permissions:
        if perm.name == 'Microsoft.ManagedIdentity/userAssignedIdentities':
            if perm.actions == ['*/read']:
                print(f"Managed service identities are enabled for all resources in resource group {rg_name}")
            else:
                print(f"Managed service identities are not enabled for all resources in resource group {rg_name}")
  1. If managed service identities are not enabled for all resources in a resource group, enable them:
for rg in resource_groups:
    rg_name = rg.name
    rg_id = rg.id

    # Check if managed service identities are enabled for all resources in the resource group
    permissions = auth_client.permissions.list_by_resource_group(rg_name)

    for perm in permissions:
        if perm.name == 'Microsoft.ManagedIdentity/userAssignedIdentities':
            if perm.actions != ['*/read']:
                print(f"Enabling managed service identities for all resources in resource group {rg_name}")
                auth_client.permissions.create_or_update(
                    rg_name,
                    'Microsoft.ManagedIdentity/userAssignedIdentities',
                    {
                        'actions': [
                            'Microsoft.ManagedIdentity/userAssignedIdentities/read',
                            'Microsoft.ManagedIdentity/userAssignedIdentities/write',
                            'Microsoft.ManagedIdentity/userAssignedIdentities/delete',
                            'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action'
                        ]
                    }
                )
These steps will enable managed service identities for all resources in all resource groups in your Azure subscription using Python.

Additional Reading: