Enable System-Assigned Managed Identities

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: Search-001

Ensure that your Microsoft Azure Search Service instances have system-assigned managed identities enabled in order to allow secure application access to other Azure resources such as storage accounts and key vaults.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

A system-assigned managed identity enables Search Service instances to authenticate to other cloud services without storing credentials in code. Once enabled, all the necessary permissions can be granted via the Azure Role-Based Access Control (RBAC). With system-assigned managed identities you don`t have to secure and manage access credentials anymore as these are handled automatically by Microsoft Azure. A Search Service instance can have only one system-assigned managed identity.


Audit

To determine if your Azure Search Service instances are configured to use system-assigned managed identities, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Search Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Search%2FsearchServices.

03 Click on the name of the Search Service instance that you want to examine.

04 In the navigation panel, under Settings, select Identity to access the system-assigned managed identity configuration available for the selected resource.

05 On the Identity page, check the Status configuration setting. If Status is set to Off, the system-assigned managed identity is not enabled for the selected Microsoft Azure Search Service instance.

06 Repeat steps no. 3 – 5 for each Search Service instance available in the selected subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run search service list command (Windows/macOS/Linux) using custom query filters to list the names of all Search Service instances provisioned in the current Azure subscription:

az search service list
	--resource-group cloud-shell-storage-westeurope
	--query '[*].name'

02 The command output should return the requested resource names:

[
  "ccsearchserver",
  "ccsearchrepo"
]

03 Run search service show command (Windows/macOS/Linux) using the name of the search instance that you want to examine as identifier parameter and custom query filters, to describe the system-assigned managed identity configuration available for the selected instance:

az search service show
	--name ccsearchserver
	--resource-group cloud-shell-storage-westeurope
	--query '{"ManagedIdentity": identity}'

04 The command output should return the requested configuration information:

[
  "ManagedIdentity": null
]

If the search service show command output returns null as the value for the "ManagedIdentity" attribute, as shown in the example above, the system-assigned managed identity is not enabled for the selected Microsoft Azure Search Service instance.

05 Repeat step no. 3 and 4 for each Search Service instance deployed within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enhance the authentication security and enable system-assigned managed identities for your Microsoft Azure Search Service instances, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Search Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Search%2FsearchServices.

03 Click on the name of the Search Service instance that you want to reconfigure (see Audit section part I to identify the right instance).

04 In the navigation panel, under Settings, select Identity to access the system-assigned managed identity configuration available for the selected resource.

05 On the Identity page, select On next to the Status configuration setting to enable the system-assigned managed identity for your Microsoft Azure Search Service instance. Click Save to apply the changes, then select Yes to confirm the action. Once the system-assigned managed identity is enabled, the selected search instance will be registered with Azure Active Directory (AAD). After being registered, you can control its access to other Azure cloud services such as Azure Key Vault and Azure Storage Account.

06 Repeat steps no. 3 – 5 to enable the system-assigned managed identity for other Azure Search Service instances available in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run search service update command (Windows/macOS/Linux) using the name of the Microsoft Azure Search Service instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to enable the system-assigned managed identity for the selected instance. Once the system-assigned managed identity is enabled, the selected search instance will be registered with Azure Active Directory. After being registered, you can control the resource access to other Azure cloud services such as Azure Key Vault or Azure Resource Manager:

az search service update
	--name ccsearchserver
	--resource-group cloud-shell-storage-westeurope
	--set identity.type="SystemAssigned"

02 The command output should return the reconfigured search instance metadata:

{
  "hostingMode": "default",
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Search/searchServices/ccsearchserver",
  "identity": {
    "principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "tenantId": "abcd1234-1234-abcd-1234-abcd1234abcd",
    "type": "SystemAssigned"
  },
  "location": "West Europe",
  "name": "ccsearchserver",
  "partitionCount": 1,
  "provisioningState": "succeeded",
  "replicaCount": 1,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "name": "basic"
  },
  "status": "running",
  "statusDetails": "",
  "tags": {},
  "type": "Microsoft.Search/searchServices"
}

03 Repeat step no. 1 and 2 to enable the system-assigned managed identity for other Azure Search Service instances deployed within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Dec 2, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable System-Assigned Managed Identities

Risk level: Medium