Automatically enable system managed identity for App Service apps with Azure Policy

Automatically enable system managed identity for App Service apps with Azure Policy

A common challenge when updating app service apps with the standard App service ARM template is the mandatory "serverFarmId" property. The policy engine is unable to dynamically extract properties from the resource being evaluated during runtime for deployment, making it infeasible to update any App Service property with the conventional App service ARM template in the deployIfNotExists (DINE) policy.


However, managed identity can be enabled with the Azure PowerShell command: Set-AzWebApp -AssignIdentity. Furthermore, this command can be executed by utilizing a unique resource type known as deploymentScripts. This resource type can run commands/scripts in the deployment section of the DINE policy, thereby enabling managed identity for app services.


Now, let's take a look at the policy definition which enables the system managed identity for Azure App Services, it's necessary to understand its structure and functionality.



{ "mode": "Indexed", "policyRule": { "if": { "allOf": [{ "field": "type", "equals": "Microsoft.Web/sites" } ] }, "then": { "effect": "deployIfNotExists", "details": { "type": "Microsoft.Web/sites/config", "name": "web", "existenceCondition": { "anyOf": [{ "field": "Microsoft.Web/sites/config/managedServiceIdentityId", "exists": "true" }, { "field": "Microsoft.Web/sites/config/xmanagedServiceIdentityId", "exists": "true" } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "", "parameters": { "webAppName": { "type": "string" }, "resourceGroupName": { "type": "string" }, "location": { "type": "string" }, "userAssignedIdentities": { "type": "string" } }, "resources": [{ "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", "name": "[concat('policyUpdateSystemManagedIdentityFor-', parameters('webAppName'))]", "location": "[parameters('location')]", "kind": "AzurePowerShell", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[parameters('userAssignedIdentities')]": {} } }, "properties": { "azPowerShellVersion": "11.4", "scriptContent": "param([string] $Name, [string] $ResourceGroupName); Set-AzWebApp -AssignIdentity $true -Name $Name -ResourceGroupName $ResourceGroupName", "arguments": "[concat('-Name', ' ', parameters('webAppName'), ' ', '-ResourceGroupName', ' ', parameters('resourceGroupName'))]", "timeout": "PT30M", "cleanupPreference": "OnSuccess", "retentionInterval": "P1D" } } ] }, "parameters": { "webAppName": { "value": "[field('name')]" }, "resourceGroupName": { "value": "[resourceGroup().name]" }, "location": { "value": "[field('location')]" }, "userAssignedIdentities": { "value": "[parameters('userAssignedIdentities')]" } } } } } } }, "parameters": { "userAssignedIdentities": { "type": "String", "metadata": { "displayName": "userAssignedIdentities", "description": "user Assigned Identity ID with appropriate permission for running the Azure PowerShell command" } } } }



Let's break down the key components of the policy:

In the "if" section, the policy is targeting resources of the type "Microsoft.Web/sites", which refers to Azure App Services. Thus, the policy will only be applied to these resources.


The "details" section outlines the specific operations performed by the policy. Here, the "effect" is set to "deployIfNotExists", indicating that the policy will take action only if the defined conditions are not already met. The "type" and "name" fields specify the resource details that should exist. The "existenceCondition" then checks whether the fields "Microsoft.Web/sites/config/managedServiceIdentityId" and "Microsoft.Web/sites/config/xmanagedServiceIdentityId" already exist. If these fields exist, it implies that Managed Identity is already enabled for the App Service, and the policy doesn't need to take any action.


The "deployment" section provides the details of the action to be taken if the "existenceCondition" is not met. It includes an ARM template that deploys a 'Microsoft.Resources/deploymentScripts' resource. This script will execute the Azure PowerShell command to enable Managed Identity on the App Service.


Before we dive into more details, it's worth noting that this solution can be implemented either from the command-line or from the Azure Portal. The steps below guide you through the command-line process. However, if you prefer using the GUI, you can refer to the following documents for creating managed identity and policy from Azure Portal:


You can follow the steps below to implement this solution from the command-line.


Step 0: Create a User Managed Identity and Assign RBAC Role:

Deployment scripts require a security principal to run Azure CLI/PowerShell commands/scripts.  Therefore, prior to implementing the policy, we need to prepare a user-assigned Managed Identity with the necessary permissions.  This identity will be passed as a policy parameter for script execution. Please note, this identity should not be confused with the system-managed identity utilized for app service apps.


In this example, we will create a new user assigned managed identity and assign it the Contributor role to the scope where we intend to assign the policy.  

  1. Create User Managed Identity:

Open your Azure PowerShell and create a new user managed identity with the following command:

New-AzUserAssignedIdentity -ResourceGroupName <ResourceGroupName> -Name <IdentityName>

Ensure to replace <ResourceGroupName> and <IdentityName> with your resource group name and the desired name for the new identity.

  1. Assign the Contributor Role:

Next, we will assign the Contributor role to this user managed identity. This role allows the identity to manage resources in Azure. Use the following command to assign the role:

New-AzRoleAssignment -ObjectId <PrincipalId> -RoleDefinitionName 'Contributor' -Scope "/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>"

Replace <PrincipalId> with the principal id of the User Managed Identity you just created. Replace <SubscriptionId> and <ResourceGroupName> with your Azure subscription id and resource group name respectively.


Step 1: Create a JSON file:

Create a JSON file and paste the provided JSON policy object in it. You can name the file as per your convenience, let's name it "policy.json".


Step 2: Create a Policy Definition:

Now, create a policy definition using Azure PowerShell with the following command:

New-AzPolicyDefinition -Name 'SystemManagedIdentity' -DisplayName 'Deploy System Managed Identity for Azure App Services' -Description 'This policy deploys system managed identity to Azure App services' -Policy 'policy.json' -Mode Indexed


Step 3: Assign the Policy:

Once the policy is defined, we need to assign it to a scope. This scope could be a management group, subscription, resource group, or individual resources. Use the following command to assign the policy:

New-AzPolicyAssignment -Name 'SystemManagedIdentityAssignment' -Scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}' -PolicyDefinition 'SystemManagedIdentity' -PolicyParameterObject @{ "userAssignedIdentities" = @{ "value" = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userAssignedManagedIdentityName}" } }

Ensure to replace {subscriptionId}{resourceGroupName} and {userAssignedManagedIdentityName} with your subscription id, resource group name and user assigned managed identity name respectively.



By following these steps, you can enable the system managed identity for Azure App services using a policy. This methodology provides a standardized and automated way to ensure that your Azure App services are always running with system managed identities. It not only helps to eliminate the manual process of enabling managed identities but also reduces the risk of misconfigurations. This, in turn, helps in securing your Azure environment and makes the management of identities simpler and more consistent.

Published on:

Learn more
Azure PaaS Blog articles
Azure PaaS Blog articles

Azure PaaS Blog articles

Share post:

Related posts

Azure Virtual Network Manager (AVNM) Mesh and Direct Connectivity are Generally Available!

Azure Virtual Network Manager's (AVNM) mesh connectivity configuration and direct connectivity option in the hub and spoke connectivity config...

1 hour ago

Azure pricing: How to calculate costs of Azure products and services

In our previous blogs we explained the Azure pricing structure and how customers can estimate their project costs when migrating to Azure or b...

2 hours ago

Azure Pricing: How to estimate Azure project costs

In the previous blog we explained how you can learn about Azure pricing with free services and a pay-as-you-go model. Next, lets understand ho...

2 hours ago

Azure Pricing: How to navigate Azure pricing options and resources

In this blog we discussed customer pricing needs and how they match different phases of the cloud journey, and we provided various tools and r...

2 hours ago

Azure pricing: How to optimize costs for your Azure workloads

In our previous blogs we explained the Azure pricing structure, how customers can calculate their costs when migrating or building in Azure, a...

3 hours ago

Building Course Registration Project with Azure SQL Database

This semester long project was completed by Master’s students at Cornell University with mentorship from the Azure SQL database product ...

1 day ago

June patches for Azure DevOps Server

This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server. The following version of the product has been pat...

1 day ago

General availability of Azure WAF Bot Manager1.1 Ruleset

Today, we are launching the general availability of Bot Manager1.1 ruleset in Azure WAF integrated with Azure Front Door. Bot Manager1.1 exte...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy