Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Registration with Microsoft Entra ID

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-009

Ensure that registration with Microsoft Entra ID is enabled for Microsoft Azure App Service web applications so that your applications can connect to other Azure cloud services securely without the need of access credentials such as user names and passwords.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

App Service is a highly scalable and self-patching web hosting service provided by Microsoft Azure. The service also provides a managed identity for your web applications, which is a turn-key solution for securing access to other Azure cloud services. A system assigned managed identity like Microsoft Entra ID enables App Service web applications to authenticate to cloud services such as Azure Key Vault and Azure Storage without the need of storing credentials within the application code.


Audit

To determine if registration with Microsoft Entra ID is enabled for your App Service web applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name (link) of the web application that you want to examine.

04 In the navigation panel, under Settings, select Identity to access the managed service identity configuration settings available for the selected application.

05 On the Identity panel, check the Status configuration setting. If the setting status is Off, the registration using Microsoft Entra ID is not configured for the selected Microsoft Azure App Service web application.

06 Repeat steps no. 3 – 5 for each Azure App Service application deployed within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested application identifiers (IDs):

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp identity show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the principal object ID of the managed service identity configured for the selected web application:

az webapp identity show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp"
	--query 'principalId'

04 The command output should return the principal object ID of the web application's managed identity. If the webapp identity show command request does not return an output, the registration using Microsoft Entra ID is not configured for the selected Microsoft Azure App Service web application.

05 Repeat step no. 3 and 4 for each Azure App Service application available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable registration with Microsoft Entra ID so that your web applications can securely access other Azure cloud services without the need of using credentials stored in the application code, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right web app).

04 In the navigation panel, under Settings, select Identity to access the managed service identity settings available for the selected application.

05 On the Identity panel, select On for the Status configuration setting to enable system assigned managed identity in order to register the selected Azure App Service web application with Microsoft Entra ID. In the Enable system assigned managed identity box, click Yes to confirm your action. Once the system assigned managed identity is enabled, the selected Azure App Service web application will be registered with Microsoft Entra ID. After being registered, you can safely control its access to other cloud services like Azure Resource Manager, Azure Key Vault, etc.

06 Repeat steps no. 3 – 5 for each Azure App Service application that you want to register with Microsoft Entra ID, available within the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp identity assign command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right web app) to assign a managed service identity to the selected web application in order to register it with Microsoft Entra ID. After being registered, you can control the application access to other cloud services such as Azure Storage, Azure Resource Manager and Azure Key Vault:

az webapp identity assign
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp"

02 The command output should return the assigned managed service identity metadata:

allowedAudiences": null,
{
  "principalId": "abcdabcd-1234-1234-1234-abcdabcdabcd",
  "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "type": "SystemAssigned",
  "userAssignedIdentities": null
}

03 Repeat step no. 1 and 2 for each Azure App Service application that you want to register with Microsoft Entra ID, deployed in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 2, 2019