Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Managed Identities for Azure Front Door Profiles

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Front Door (AFD) profiles are using system-assigned and/or user-assigned managed identities in order to allow secure application access to other Microsoft Azure cloud resources such as Azure Storage accounts and Key Vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving Azure cloud services.

Security
Operational
excellence

Using system-assigned and/or user-assigned managed identities for AFD profiles enhances security by allowing Azure Front Door to authenticate and authorize with other Azure cloud services and resources without the need for explicit credentials. This reduces the risk associated with credential management, allows granular control over access permissions, and provides a seamless and more secure integration with other Microsoft Azure components.

Audit

To determine if your Azure Front Door profiles are configured to use system-assigned and/or user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Front Door for Value, then choose Apply to list the Azure Front Door (AFD) profiles available in the selected subscription.

05 Click on the name (link) of the AFD profile that you want to examine.

06 In the resource navigation panel, under Settings, select Identity, and perform the following checks to determine if the selected AFD profile is using managed identities:

  1. Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the selected Azure Front Door profile is not using a system-assigned managed identity.
  2. Select the User assigned tab and check for any user-assigned managed identities associated with the selected resource. If there are no user identities listed on this page, instead the following message is displayed: No user assigned managed identities found on this resource, the selected Azure Front Door profile is not using user-assigned managed identities.

07 Repeat steps no. 5 and 6 for each Azure Front Door profile available in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run afd profile list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Front Door (AFD) profile available within the current subscription: 

az afd profile list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AFD profile identifiers: 

Name                       ResourceGroup
-----------------------    ------------------------------
cc-project5-afd-profile    cloud-shell-storage-westeurope
cc-web-cdn-afd-profile     cloud-shell-storage-westeurope

06 Run az afd profile show command (Windows/macOS/Linux) with the name of the Azure Front Door profile that you want to examine and its associated resource group as the identifier parameters, to determine the type of the managed identity (i.e. system-assigned and/or user-assigned) configured for the selected AFD profile: 

az afd profile show
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--query '{"IdentityType":identity.type}'

07 The command output should return the identity type used by the selected AFD resource: 

{
	"IdentityType": null
}

If the afd profile show command output returns null for the "IdentityType" attribute, as shown in the example above, the selected Microsoft Azure Front Door profile is not using a system-assigned and/or user-assigned managed identity to authenticate to other Azure cloud services.

08 Repeat steps no. 6 and 7 for each Azure Front Door profile available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure Front Door profiles are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Managed Identities blade available at https://portal.azure.com/#browse/Microsoft.ManagedIdentity%2FuserAssignedIdentities.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Choose Create and perform the following actions to create a new user-assigned managed identity for your Azure resource:

  1. For Basics, choose the correct subscription and resource group, provide a unique name for the new managed identity, then select the Azure region where your Azure Front Door profile is deployed. Choose Next to continue the setup process.
  2. For Tags, use the Name and Value fields to create tags that will help organize the identity of the identity. Choose Review + create to validate the identity setup.
  3. For Review + create, review the resource configuration details, then choose Create to create your new user-assigned managed identity.

05 Once the new managed identity is available, choose Go to resource, select Access control (IAM) from the identity navigation panel, choose Add, select Add role assigment, and perform the following actions to grant least privilege access:

  1. For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. Choose Next to continue the assignment process.
  2. For Members, select Managed identity next to Assign access to, choose Select members next to Members, and select the new user-assigned managed identity created in step no. 4. Choose Next to continue.
  3. For Review + assign, review the role assignment information, then choose Review + assign to complete the assigment process.

06 Sign in to the Microsoft Azure Portal.

07 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

08 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

09 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Front Door for Value, then choose Apply to list the Azure Front Door (AFD) profiles available in the selected subscription.

10 Click on the name (link) of the AFD profile that you want to configure.

11 In the resource navigation panel, under Settings, select Identity, and perform the following actions to enable system-assigned and user-assigned managed identities for the selected Azure Front Door profile:

  1. Choose the System assigned tab and select On under Status to enable the system-assigned managed identity for the selected AFD profile. Choose Save and select Yes to confirm the changes. The selected Front Door profile is now registered with Microsoft Entra ID, eliminating the need to store credentials in your code. Once the feature is enabled, all necessary permissions can be granted via Azure RBAC.
  2. Select the User assigned tab, choose Add, select the appropriate Azure subscription from the Select a subscription dropdown list, and choose the user-assigned managed identity created earlier in the Remediation process, from the User assigned managed identities list. Choose Add to apply the configuration changes.

12 Repeat steps no. 10 and 11 for each Azure Front Door profile that you want to configure, available in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run afd profile list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Front Door (AFD) profile available within the current subscription: 

az afd profile list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AFD profile identifiers: 

Name                       ResourceGroup
-----------------------    ------------------------------
cc-project5-afd-profile    cloud-shell-storage-westeurope
cc-web-cdn-afd-profile     cloud-shell-storage-westeurope

06 Run az afd profile update command (Windows/macOS/Linux) with the name of the Azure Front Door profile that you want to configure and its associated resource group as the identifier parameters, to enable the system-assigned managed identity for the selected AFD profile: 

az afd profile update
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--identity-type SystemAssigned

07 Once the assignment process is completed, the command output should return the information available for the updated AFD profile: 

{
	"extendedProperties": {},
	"frontDoorId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/cc-project5-afd-profile",
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"type": "SystemAssigned"
	},
	"kind": "frontdoor",
	"location": "Global",
	"name": "cc-project5-afd-profile",
	"originResponseTimeoutSeconds": 60,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resourceState": "Active",
	"sku": {
		"name": "Premium_AzureFrontDoor"
	},
	"tags": {},
	"type": "Microsoft.Cdn/profiles"
}

08 Run identity create command (OSX/Linux/UNIX) to create a new user-assigned managed identity for your Microsoft Azure Front Door profile: 

az identity create
	--name cc-project5-afd-user-identity
	--resource-group cloud-shell-storage-westeurope
	--location westeurope

09 The command output should return the information available for the new user-assigned managed identity: 

{
	"clientId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-afd-user-identity",
	"location": "westeurope",
	"name": "cc-project5-afd-user-identity",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": null,
	"tags": {},
	"tenantId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}

10 Run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege (POLP) to your new user-assigned managed identity. Use the --role parameter to specify the name of the non-privileged role that you want to assign. Use the --assignee parameter to specify the ID of the principal for your new user-assigned managed identity (i.e., "principalId" value): 

az role assignment create
	--assignee "abcd1234-abcd-1234-abcd-1234abcd1234"
	--role Reader
	--scope "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234"

11 Once the assignment process is completed, the command output should return the information available for the new role assignment: 

{
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2025-07-30T12:33:24.315860+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-1234abcd1234",
	"name": "1234abcd-1234-abcd-1234-1234abcd1234",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalType": "ServicePrincipal",
	"roleDefinitionId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
	"scope": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"updatedOn": "2025-07-29T12:00:00.629870+00:00"
}

12 Run az afd profile update command (Windows/macOS/Linux) to associate the new user-assigned managed identity with your Microsoft Azure Front Door profile: 

az afd profile update
	--profile-name cc-project5-afd-profile
	--resource-group cloud-shell-storage-westeurope
	--identity "{ \"type\": \"UserAssigned\", \"userAssignedIdentities\": { \"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-afd-user-identity\": {} } }"

13 Once the assignment process is completed, the command output should return the information available for the updated AFD profile: 

{
	"extendedProperties": {},
	"frontDoorId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/cc-project5-afd-profile",
	"identity": {
		"tenantId": "1234abcd-1234-abcd-1234-1234abcd1234",
		"type": "UserAssigned",
		"userAssignedIdentities": {
			"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-user-identity": {
				"clientId": "1234abcd-1234-abcd-1234-1234abcd1234",
				"principalId": "1234abcd-1234-abcd-1234-1234abcd1234"
			}
		}
	},
	"kind": "frontdoor",
	"location": "Global",
	"name": "cc-project5-afd-profile",
	"originResponseTimeoutSeconds": 60,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resourceState": "Active",
	"sku": {
		"name": "Premium_AzureFrontDoor"
	},
	"tags": {},
	"type": "Microsoft.Cdn/profiles"
}

14 Repeat steps no. 6 - 13 for each Azure Front Door profile that you want to configure, available within the current subscription.

15 Repeat steps no. 3 – 14 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024

Related FrontDoor rules