Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use System-Assigned Managed Identities for Azure Front Door Profiles

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Front Door profiles are using system-assigned managed identities in order to allow secure application access to other Microsoft Azure cloud resources such as storage accounts and key vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving Azure cloud services.

Security
Operational
excellence

A system-assigned managed identity enables Azure Front Door profiles to authenticate to other Azure cloud services without storing credentials in code. With system-assigned managed identities you don't have to secure, manage, and rotate access credentials anymore as these are handled automatically by Microsoft Azure. This offers the benefit of eliminating the need for secret management while also delivering enhanced precision in access control and auditing capabilities.

Audit

To determine if your Azure Front Door profiles are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.

05 Click on the name (link) of the Front Door and CDN profile that you want to examine.

06 In the resource navigation panel, under Security, select Identity to access the identity-based settings configured for the selected profile.

07 Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the selected Microsoft Azure Front Door profile is not using a system-assigned managed identity.

08 Repeat steps no. 5 – 7 for each Azure Front Door profile deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run afd profile list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Front Door and CDN profile available in the current subscription: 

az afd profile list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested profile identifiers: 

Name                      ResourceGroup
-----------------         ------------------------------
tm-project5-cdn           cloud-shell-storage-westeurope
tm-web-portal-cdn         cloud-shell-storage-westeurope

03 Run az afd profile show command (Windows/macOS/Linux) with the name of the Azure Front Door and CDN profile that you want to examine and its associated resource group as the identifier parameters, to determine the identity type configured for the selected Function App resource: 

az afd profile show
  --profile-name tm-project5-cdn
  --resource-group cloud-shell-storage-westeurope
  --query 'identity.type'

04 The command output should return the identity type used (system-assigned or user-assigned): 

"UserAssigned"

If the afd profile show command does not return an output, there are no managed identities configured for the selected resource. If the command output is different than "SystemAssigned", the selected Microsoft Azure Front Door profile is not using a system-assigned managed identity.

05 Repeat step no. 3 and 4 for each Azure Front Door profile available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure Front Door profiles are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.

05 Click on the name (link) of the Front Door and CDN profile that you want to configure.

06 In the resource navigation panel, under Security, select Identity to access the identity-based settings configured for the selected profile.

07 Select the System assigned tab and choose On under Status to enable the system-assigned managed identity for the selected Azure Front Door profile. Choose Save to apply the changes and select Yes for confirmation. The Front Door profile is now registered with Microsoft Entra ID and the managed identity can be configured to allow access to other Azure cloud resources based on your application requirements.

08 Repeat steps no. 5 – 7 for each Azure Front Door profile that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run az afd profile update command (Windows/macOS/Linux) with the name of the Azure Front Door and CDN profile that you want to configure and its associated resource group as the identifier parameters, to enable the system-assigned managed identity for the selected profile: 

az afd profile update
  --profile-name tm-project5-cdn
  --resource-group cloud-shell-storage-westeurope
  --identity-type SystemAssigned

02 Once the assignment process is completed, the command output should return the information available for the updated profile: 

{
	"extendedProperties": {},
	"frontDoorId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn",
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"type": "SystemAssigned"
	},
	"kind": "frontdoor",
	"location": "Global",
	"name": "tm-project5-cdn",
	"originResponseTimeoutSeconds": 60,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resourceState": "Active",
	"sku": {
		"name": "Premium_AzureFrontDoor"
	},
	"tags": {},
	"type": "Microsoft.Cdn/profiles"
}

03 Repeat steps no. 1 and 2 for each Azure Front Door profile that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024

Related FrontDoor rules