Azure Introduction
Azure Pricing
Azure Threats
Managed Service Identities Disabled
More Info:
Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, HIPAA, CISAZURE, CBP, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using the Azure console, please follow these steps:
-
Open the Azure portal and navigate to the resource group containing the affected Azure service.
-
Click on the affected Azure service, and then click on the “Access control (IAM)” menu option.
-
Click on the “Add” button to add a new role assignment.
-
In the “Add role assignment” blade, select “Contributor” as the role and then select the “Azure resource” option.
-
In the “Select” box, search for the name of the affected Azure service and select it.
-
Leave the “Assign access to” field as “Azure AD user, group, or service principal” and then click on the “Select” button.
-
In the “Select” box, search for the name of the managed identity that needs to be enabled and select it.
-
Click on the “Save” button to save the role assignment.
-
Verify that the managed identity is now enabled by checking the “Managed identities” blade of the affected Azure service.
-
Repeat this process for any other affected Azure services.
By following these steps, you can remediate the “Managed Service Identities Disabled” misconfiguration in Azure using the Azure console.
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Azure CLI, you can follow these steps:
-
Open the Azure CLI and log in to your Azure account using the command
az login. -
Check if Managed Service Identity is enabled for your Azure subscription using the command
az account show --query "isIdentityCrmEnabled". If the output isfalse, it means Managed Service Identity is disabled for your subscription. -
To enable Managed Service Identity for your subscription, use the command
az provider register --namespace Microsoft.ManagedIdentity. -
After the registration is complete, you can create a new Managed Service Identity using the command
az identity create --name <identity-name> --resource-group <resource-group-name>. -
Once the Managed Service Identity is created, you can assign it to your Azure resources using the command
az role assignment create --role <role-name> --assignee <identity-client-id> --scope <resource-id>. -
Replace
<identity-name>,<resource-group-name>,<role-name>,<identity-client-id>and<resource-id>with the actual values for your Azure environment. -
Finally, verify that Managed Service Identity is enabled for your subscription and that the identity is assigned to the correct resources using the command
az identity show --name <identity-name> --resource-group <resource-group-name>.
By following these steps, you should be able to remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Azure CLI.
To remediate the “Managed Service Identities Disabled” misconfiguration in Azure using Python, follow these steps:
- Import the necessary libraries:
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.common.credentials import ServicePrincipalCredentials
- Set the credentials for your Azure account:
subscription_id = 'your-subscription-id'
tenant_id = 'your-tenant-id'
client_id = 'your-client-id'
client_secret = 'your-client-secret'
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)
- Create a ResourceManagementClient and an AuthorizationManagementClient:
resource_client = ResourceManagementClient(credentials, subscription_id)
auth_client = AuthorizationManagementClient(credentials, subscription_id)
- Get the list of resource groups in your subscription:
resource_groups = resource_client.resource_groups.list()
- For each resource group, check if managed service identities are enabled for all resources:
for rg in resource_groups:
rg_name = rg.name
rg_id = rg.id
# Check if managed service identities are enabled for all resources in the resource group
permissions = auth_client.permissions.list_by_resource_group(rg_name)
for perm in permissions:
if perm.name == 'Microsoft.ManagedIdentity/userAssignedIdentities':
if perm.actions == ['*/read']:
print(f"Managed service identities are enabled for all resources in resource group {rg_name}")
else:
print(f"Managed service identities are not enabled for all resources in resource group {rg_name}")
- If managed service identities are not enabled for all resources in a resource group, enable them:
for rg in resource_groups:
rg_name = rg.name
rg_id = rg.id
# Check if managed service identities are enabled for all resources in the resource group
permissions = auth_client.permissions.list_by_resource_group(rg_name)
for perm in permissions:
if perm.name == 'Microsoft.ManagedIdentity/userAssignedIdentities':
if perm.actions != ['*/read']:
print(f"Enabling managed service identities for all resources in resource group {rg_name}")
auth_client.permissions.create_or_update(
rg_name,
'Microsoft.ManagedIdentity/userAssignedIdentities',
{
'actions': [
'Microsoft.ManagedIdentity/userAssignedIdentities/read',
'Microsoft.ManagedIdentity/userAssignedIdentities/write',
'Microsoft.ManagedIdentity/userAssignedIdentities/delete',
'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action'
]
}
)
These steps will enable managed service identities for all resources in all resource groups in your Azure subscription using Python.