Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Azure Functions with Admin Privileges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your functions managed with Microsoft Azure Function App don't have privileged administrative permissions in order to promote the Principle of Least Privilege (POLP) and provide your functions the minimal amount of access required to perform their tasks.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

In Azure cloud, user-assigned managed identities encompass a broader range of roles including privileged administrator roles. Privileged administrator roles incorporate positions that provide elevated access privileges, such as the capability to oversee Azure resources or delegate roles to other users. User-assigned identities for Azure functions should not have admin privileges to minimize security risks. Granting admin rights can lead to unintended access, data breaches, and misuse. Limiting permissions to the minimum necessary for the function's operation follows the Principle of Least Privilege, enhancing overall security by reducing the attack surface and potential damage from unauthorized access.

Audit

To determine if your Azure functions are configured with admin privileges, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Identity to access the identity-based settings configured for the selected Function App resource.

07 Select the User assigned tab and click on the name (link) of the user-assigned managed identity associated with your Function App.

08 In the navigation panel, select Azure role assignments to view the role assignments for the selected identity.

09 Check the Role column to determine if the selected identity has privileged administrator roles such as "Owner", "Contributor", "User Access Administrator", and "Role Based Access Control Administrator". You can also click on the role name to view the role permissions. If one or more privileged administrator roles are assigned to the user-assigned managed identity associated with the Function App, the functions managed with the selected Azure Function App are configured with admin privileges.

10 Repeat steps no. 5 – 9 for each Azure Function App deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription: 

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp show command (Windows/macOS/Linux) using the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to describe the user-assigned managed identities associated with the selected Function App: 

az functionapp show 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --query 'identity.userAssignedIdentities'

04 The command output should return the information available for the associated identities (including the identity full ID and the ID of the associated principal): 

{
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-main-function-identity": {
		"clientId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
	}
}

05 Run role assignment list command (Windows/macOS/Linux) using the ID of the principal associated with your user-assigned managed identity as the identifier parameter to describe the role assignments for the selected principal: 

az role assignment list 
  --assignee abcd1234-abcd-1234-abcd-1234abcd1234 
  --all

06 The command output should return the role assignments for the selected principal: 

[
	{
		"roleDefinitionName": "User Access Administrator",
		"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
		"condition": null,
		"conditionVersion": null,
		"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"createdOn": "2023-09-12T12:35:11.479547+00:00",
		"delegatedManagedIdentityResourceId": null,
		"description": null,
		"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"principalType": "ServicePrincipal",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"scope": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-main-function-identity",
		"type": "Microsoft.Authorization/roleAssignments",
		"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"updatedOn": "2023-09-12T12:35:11.479547+00:00"
	},
	{
		"roleDefinitionName": "Owner",
		"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
		"condition": null,
		"conditionVersion": null,
		"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"createdOn": "2023-09-12T13:46:41.674300+00:00",
		"delegatedManagedIdentityResourceId": null,
		"description": null,
		"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"principalType": "ServicePrincipal",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"scope": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.managedidentity/userassignedidentities/cc-main-function-identity",
		"type": "Microsoft.Authorization/roleAssignments",
		"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"updatedOn": "2023-09-12T13:46:41.674300+00:00"
	}
]

Check the "roleDefinitionName" attribute value for each role assignment returned by the role assignment list command output to determine if the associated identity has privileged administrator roles such as "Owner", "Contributor", "User Access Administrator", and "Role Based Access Control Administrator". If one or more privileged administrator roles are assigned to the user-assigned managed identity associated with the Function App, the functions managed with the selected Azure Function App are configured with admin privileges.

07 Repeat step no. 3 - 6 for each Azure Function App available within the current Azure subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your functions managed with Microsoft Azure Function App are not configured with admin privileges, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Identity to access the identity-based settings configured for the selected Function App resource.

07 Select the User assigned tab and click on the name (link) of the user-assigned managed identity associated with your Function App.

08 In the navigation panel, select Azure role assignments to access the role assignments for the selected identity.

09 Click on the name of the privileged administrator role that you want to remove from your user-assigned managed identity, select the Assignments tab, and choose Remove to delete the role assignment for the managed identity. On the Remove role assignments box, choose Yes for confirmation.

10 To add a new role assigment that follows the Principle of Least Privilege (POLP), choose Access control (IAM) from the navigation panel, choose Add, select Add role assigment to initiate the assigment process.

11 For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. Choose Next to continue.

12 For Members, choose Managed identity next to Assign access to, choose Select members, and select your user-assigned managed identity. Choose Next to continue.

13 For Review + assign, choose Review + assign to complete the assigment process.

14 Repeat steps no. 5 – 13 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

15 Repeat steps no. 3 – 14 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run role assignment delete command (OSX/Linux/UNIX) to remove the privileged administrator role from your user-assigned managed identity, i.e. delete the admin role assignment (if the request is successful, the command does not produce an output): 

az role assignment delete 
  --assignee abcd1234-abcd-1234-abcd-1234abcd1234 
  --role "User Access Administrator"

02 Run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege to your user-assigned managed identity. Use the --role parameter to specify the name of the non-privileged role that you want to assign: 

az role assignment create 
  --assignee e1851c0d-45a2-4c5c-8d4b-887000fec8fe 
  --role Reader 
  --scope /subscriptions/b6d0a59c-13ae-4723-8f1c-7123bda03097/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-main-function-identity

03 Once the assignment process is completed, the command output should return the information available for the new role assignment: 

{
	"roleDefinitionName": "Reader",
	"roleDefinitionId": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
	"condition": null,
	"conditionVersion": null,
	"createdBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"createdOn": "2023-09-12T13:46:41.674300+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"name": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalName": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"principalType": "ServicePrincipal",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scope": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.managedidentity/userassignedidentities/cc-main-function-identity",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"updatedOn": "2023-09-12T13:46:41.674300+00:00"
}

04 Repeat steps no. 1 - 3 for each Azure Function App that you want to configure, available within the current subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules