Enable Registration with Microsoft Entra ID

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name (link) of the web application that you want to examine.

04 In the navigation panel, under Settings, select Identity to access the managed service identity configuration settings available for the selected application.

05 On the Identity panel, check the Status configuration setting. If the setting status is Off, the registration using Microsoft Entra ID is not configured for the selected Microsoft Azure App Service web application.

06 Repeat steps no. 3 – 5 for each Azure App Service application deployed within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions available in your Microsoft Azure cloud account.

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested application identifiers (IDs):

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp identity show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the principal object ID of the managed service identity configured for the selected web application:

az webapp identity show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp"
	--query 'principalId'

04 The command output should return the principal object ID of the web application's managed identity. If the webapp identity show command request does not return an output, the registration using Microsoft Entra ID is not configured for the selected Microsoft Azure App Service web application.

05 Repeat step no. 3 and 4 for each Azure App Service application available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right web app).

04 In the navigation panel, under Settings, select Identity to access the managed service identity settings available for the selected application.

05 On the Identity panel, select On for the Status configuration setting to enable system assigned managed identity in order to register the selected Azure App Service web application with Microsoft Entra ID. In the Enable system assigned managed identity box, click Yes to confirm your action. Once the system assigned managed identity is enabled, the selected Azure App Service web application will be registered with Microsoft Entra ID. After being registered, you can safely control its access to other cloud services like Azure Resource Manager, Azure Key Vault, etc.

06 Repeat steps no. 3 – 5 for each Azure App Service application that you want to register with Microsoft Entra ID, available within the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

01 Run webapp identity assign command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right web app) to assign a managed service identity to the selected web application in order to register it with Microsoft Entra ID. After being registered, you can control the application access to other cloud services such as Azure Storage, Azure Resource Manager and Azure Key Vault:

az webapp identity assign
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp"

02 The command output should return the assigned managed service identity metadata:

allowedAudiences": null,
{
  "principalId": "abcdabcd-1234-1234-1234-abcdabcdabcd",
  "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "type": "SystemAssigned",
  "userAssignedIdentities": null
}

03 Repeat step no. 1 and 2 for each Azure App Service application that you want to register with Microsoft Entra ID, deployed in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.