|   Trend Micro Cloud One™
Open menu

Enable Registration with Azure Active Directory

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)
Rule ID: AppService-009

Ensure that registration with Azure Active Directory (AAD) is enabled for Microsoft Azure App Service web applications so that your applications can connect to other Azure cloud services securely without the need of access credentials such as user names and passwords.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

App Service is a highly scalable and self-patching web hosting service provided by Microsoft Azure. The service also provides a managed identity for your web applications, which is a turn-key solution for securing access to other Azure cloud services. A system assigned managed identity like Azure Active Directory (AAD) enables App Service web applications to authenticate to cloud services such as Azure Key Vault and Azure Storage without the need of storing credentials within the application code.

Audit

To determine if registration with Azure Active Directory is enabled for your App Service web applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name (link) of the web application that you want to examine.

04 In the navigation panel, under Settings, select Identity to access the managed service identity configuration settings available for the selected application.

05 On the Identity panel, check the Status configuration setting. If the setting status is Off, the registration using Azure Active Directory (AAD) is not configured for the selected Microsoft Azure App Service web application.

06 Repeat steps no. 3 – 5 for each Azure App Service application deployed within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested application identifiers (IDs):

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp identity show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the principal object ID of the managed service identity configured for the selected web application:

az webapp identity show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp"
	--query 'principalId'

04 The command output should return the principal object ID of the web application's managed identity. If the webapp identity show command request does not return an output, the registration using Azure Active Directory (AAD) is not configured for the selected Microsoft Azure App Service web application.

05 Repeat step no. 3 and 4 for each Azure App Service application available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable registration with Microsoft Azure Active Directory (AAD) so that your web applications can securely access other Azure cloud services without the need of using credentials stored in the application code, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right web app).

04 In the navigation panel, under Settings, select Identity to access the managed service identity settings available for the selected application.

05 On the Identity panel, select On for the Status configuration setting to enable system assigned managed identity in order to register the selected Azure App Service web application with Azure Active Directory (AAD). In the Enable system assigned managed identity box, click Yes to confirm your action. Once the system assigned managed identity is enabled, the selected Azure App Service web application will be registered with Microsoft Azure Active Directory. After being registered, you can safely control its access to other cloud services like Azure Resource Manager, Azure Key Vault, etc.

06 Repeat steps no. 3 – 5 for each Azure App Service application that you want to register with Azure Active Directory (AAD), available within the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp identity assign command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right web app) to assign a managed service identity to the selected web application in order to register it with Azure Active Directory (AAD). After being registered, you can control the application access to other cloud services such as Azure Storage, Azure Resource Manager and Azure Key Vault:

az webapp identity assign
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-python-webapp"

02 The command output should return the assigned managed service identity metadata:

allowedAudiences": null,
{
  "principalId": "abcdabcd-1234-1234-1234-abcdabcdabcd",
  "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "type": "SystemAssigned",
  "userAssignedIdentities": null
}

03 Repeat step no. 1 and 2 for each Azure App Service application that you want to register with Azure Active Directory (AAD), deployed in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 2, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Registration with Azure Active Directory

Risk level: Medium