Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use System-Assigned Managed Identities for Azure Functions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that functions managed with Azure Function App are using system-assigned managed identities in order to allow secure application access to other Microsoft Azure cloud resources such as SQL databases, storage accounts, and key vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving Azure cloud services.

Security
Operational
excellence

A system-assigned managed identity enables functions managed with Azure Function App service to authenticate to other Azure cloud services without storing credentials in code. With system-assigned managed identities you don't have to secure, manage, and rotate access credentials anymore as these are handled automatically by Microsoft Azure. This offers the benefit of eliminating the need for secret management while also delivering enhanced precision in access control and auditing capabilities.

Audit

To determine if your Azure functions are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Function App, and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, select Identity to access the identity-based settings configured for the selected Function App resource.

07 Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the functions managed with the selected Azure Function App are not using a system-assigned managed identity.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription: 

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to determine the identity type configured for the selected Function App resource: 

az functionapp show
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query 'identity.type'

04 The command output should return the identity type used (system-assigned or user-assigned): 

"UserAssigned"

If the functionapp show command does not return an output, the system-assigned managed identity is not enabled for the selected resource. If the command output returns "UserAssigned", as shown in the example above, the functions managed with the selected Azure Function App are not using a system-assigned managed identity.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your functions managed with Microsoft Azure Function App are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Function App, and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the resource navigation panel, under Settings, select Identity to access the identity-based settings configured for the selected Function App resource.

07 Select the System assigned tab and choose On under Status to enable the system-assigned managed identity for the Azure functions managed with the selected Azure Function App. Choose Save to apply the changes and select Yes for confirmation. The Function App resource is now registered with Microsoft Entra ID and the managed identity can be configured to allow access to other Azure cloud resources based on your application requirements.

08 Repeat steps no. 5 – 7 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp identity assign command (OSX/Linux/UNIX) with the name of the Azure Function App that you want to configure as the identifier parameter to enable the system-assigned managed identity for the function managed with the specified Azure Function App: 

az functionapp identity assign
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --identities [system]

02 Once the assignment process is completed, the command output should return the information available for the managed identity: 

{
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
	"type": "SystemAssigned",
	"userAssignedIdentities": null
}

03 Repeat steps no. 1 and 2 for each Azure Function App that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules