Control: App Service apps should use managed identity

Description

Use a managed identity for enhanced authentication security.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.appservice_web_app_uses_managed_identity

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.appservice_web_app_uses_managed_identity --share

SQL

This control uses a named query:

with all_web_app as (
  select
    id
  from
    azure_app_service_web_app
  where
    exists (
      select
      from
        unnest(regexp_split_to_array(kind, ',')) elem
      where
        elem like 'app%'
  )
)
select
  a.id as resource,
  case
    when b.id is null then 'skip'
    when
      configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null
      or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.id is null then a.title || ' is ' || a.kind || ' kind.'
    when
      configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null
      or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null
      then a.name || ' uses managed identity.'
    else a.name || ' not uses managed identity'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_app_service_web_app as a
  left join all_web_app as b on a.id = b.id,
  azure_subscription as sub
where
  sub.subscription_id = a.subscription_id;

Control: App Service apps should use managed identity

Description

Usage

SQL

Tags