Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Managed Identities

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure AI Services (AI Foundry) instances are using system-assigned and/or user-assigned managed identities in order to allow secure application access to other Microsoft Azure cloud resources such as Azure Storage accounts and Key Vaults. Using managed identities minimizes risks, simplifies management, and maintains compliance with evolving Azure cloud services.

Security
Operational
excellence

Using system-assigned and/or user-assigned managed identities for AI Foundry instances enhances security by allowing Azure AI Foundry to authenticate and authorize with other Azure cloud services and resources without the need for explicit credentials. This reduces the risk associated with credential management, allows granular control over access permissions, and provides a seamless and more secure integration with other Microsoft Azure components.

Audit

To determine if your Azure AI Foundry instances are configured to use system-assigned and/or user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

05 Click on the name (link) of the AI Foundry instance that you want to examine.

06 In the resource navigation panel, under Resource Management, select Identity, and perform the following checks to determine if the selected instance is using managed identities:

  1. Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the selected Azure AI Foundry instance is not using a system-assigned managed identity to authenticate to other Azure services.
  2. Select the User assigned tab and check for any user-assigned managed identities associated with the selected resource. If there are no user identities listed on this page, instead the following message is displayed: No user assigned managed identities found on this resource, the selected Azure AI Foundry instance is not using user-assigned managed identities to authenticate to other Azure services.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 Run cognitiveservices account show command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to examine and its associated resource group as the identifier parameters, to determine the type of the managed identity configured for the selected instance: 

az cognitiveservices account show
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--query '{"IdentityType":identity.type}'

07 The command output should return the identity type used by the selected AI Foundry instance: 

{
	"IdentityType": "None"
}

If the cognitiveservices account show command output returns "None" or null for the "IdentityType" attribute, as shown in the example above, the selected Azure AI Services (AI Foundry) instance is not using a system-assigned and/or user-assigned managed identity to authenticate to other Azure services.

Remediation / Resolution

To ensure that your Azure AI Services (AI Foundry) instances are configured to use system-assigned and/or user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Managed Identities blade available at https://portal.azure.com/#browse/Microsoft.ManagedIdentity%2FuserAssignedIdentities.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Choose Create and perform the following actions to create a new user-assigned managed identity for your Azure cloud resource:

  1. For Basics, choose the correct subscription and resource group, provide a unique name for the new managed identity, then select the Azure region where your AI Foundry instance is deployed. Choose Next to continue the setup process.
  2. For Tags, use the Name and Value fields to create tags that will help organize the identity of the identity. Choose Review + create to validate the identity setup.
  3. For Review + create, review the resource configuration details, then choose Create to create your new user-assigned managed identity.

05 Once the new user-assigned managed identity is available, choose Go to resource, select Access control (IAM) from the identity navigation panel, choose Add, select Add role assigment, and perform the following actions to grant least privilege access:

  1. For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. Choose Next to continue the assignment process.
  2. For Members, select Managed identity next to Assign access to, choose Select members next to Members, and select the new user-assigned managed identity created in step no. 4. Choose Next to continue.
  3. For Review + assign, review the role assignment information, then choose Review + assign to complete the assigment process.

06 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

07 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

08 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure AI Foundry for Value, then choose Apply to list the Azure AI Services (AI Foundry) instances available in the selected subscription.

09 Click on the name (link) of the AI Foundry instance that you want to configure.

10 In the resource navigation panel, under Resource Management, select Identity to access the system-assigned managed identity settings.

11 Choose the System assigned tab and select On under Status to enable the system-assigned managed identity for the selected instance. Choose Save and select Yes to confirm the changes. The selected AI Foundry instance is now registered with Microsoft Entra ID, eliminating the need to store credentials in your code. Once the feature is enabled, all necessary permissions can be granted via Azure RBAC.

12 Once the feature is enabled, choose Azure role assignments under Permissions, select Add role assigment (Preview), and perform the following actions to grant least privilege access:

  1. For Scope, select Subscription.
  2. For Subscription, select your Azure cloud subscription.
  3. For Role, select the appropriate, non-privileged role that you want to assign (e.g., "Cognitive Services User" role).
  4. Choose Save to complete the assigment process.

13 Select the User assigned tab, choose Add, select the appropriate Azure subscription from the Select a subscription dropdown list, and choose the user-assigned managed identity created in step no. 4, from the User assigned managed identities list. Choose Add to apply the configuration changes.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
cc-project5-ai-service-instance    cloud-shell-storage-westeurope
cc-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 Run cognitiveservices account identity assign command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to configure and its associated resource group as the identifier parameters, to assign a managed identity to the selected instance: 

az cognitiveservices account identity assign
	--name cc-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope

07 The command output should return the information available for the implemented managed identity: 

{
	"principalId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"type": "SystemAssigned",
	"userAssignedIdentities": null
}

08 Run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege (POLP) to your managed identity. Use the --role parameter to specify the name of the non-privileged role that you want to assign. As an example, the following command assigns the "Cognitive Services User" role, which allows you to read and list keys of Cognitive Services. Use the --assignee parameter to specify the ID of the principal for your managed identity (i.e., "principalId" value): 

az role assignment create
	--assignee "1234abcd-1234-abcd-1234-1234abcd1234"
	--role "Cognitive Services User"
	--scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd"

09 Once the assignment process is completed, the command output should return the information available for the new role assignment: 

{
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2025-09-03T11:05:56.673198+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-1234abcd1234",
	"name": "1234abcd-1234-abcd-1234-1234abcd1234",
	"principalId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"principalType": "ServicePrincipal",
	"roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-1234abcd1234",
	"scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "1234abcd-1234-abcd-1234-1234abcd1234",
	"updatedOn": "2025-09-03T11:05:56.857206+00:00"
}

References

Publication date Sep 10, 2025

Related AIFoundry rules