Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use User-Assigned Managed Identities for Azure Functions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that functions managed with Azure Function App are using user-assigned managed identities for fine-grained control over access permissions.

Security
Operational
excellence

In Azure cloud, user-assigned identities encompass a broader range of roles beyond "Read-Only", "Contributor", and "Owner" support. Therefore, Azure functions should use user-assigned managed identities to provide granular control over access permissions, enable integration with existing identity systems, and support specific application requirements. User-assigned managed identities offer flexibility in managing identities and access control for functions managed with Azure Function App, allowing for fine-grained customization based on individual needs.


Audit

To determine if your Azure functions are configured to use user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Function App, and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Identity to access the identity-based settings configured for the selected Function App resource.

07 Select the User assigned tab and check for any user-assigned managed identities listed on this panel. If there are no managed identities available and the Azure Console shows No results, the functions managed with the selected Microsoft Azure Function App are not using user-assigned managed identities.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription:

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names:

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to determine the identity type configured for the selected Function App resource:

az functionapp show
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query 'identity.type'

04 The command output should return the identity type used (user-assigned or system-assigned):

"SystemAssigned"

If the functionapp show command does not return an output, there are no user-assigned managed identities configured for the selected resource. If the command output returns "SystemAssigned", as shown in the example above, the functions managed with the selected Azure Function App are not using user-assigned managed identities.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your functions managed with Microsoft Azure Function App are configured to use user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Function App, and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the navigation panel, under Settings, select Identity to access the identity-based settings configured for the selected Function App resource.

07 Select the User assigned tab and choose Add from the top menu to add your user-assigned managed identity to the selected Function App resource.

08 Select your Azure subscription from the Select a subscription dropdown list and choose the user-assigned managed identity that you want to assign to your functions within the selected Azure Function App, from the User assigned managed identities list. Select the appropriate identity and choose Add to apply the changes.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp identity assign command (OSX/Linux/UNIX) with the name of the Azure Function App that you want to configure as the identifier parameter to assign your user-assigned managed identity to the Azure functions managed with the specified Azure Function App:

az functionapp identity assign
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --identities "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-function-app-managed-identity"

02 Once the assignment process is completed, the command output should return the information available for the managed identity:

{
	"principalId": null,
	"tenantId": null,
	"type": "UserAssigned",
	"userAssignedIdentities": {
		"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-function-app-managed-identity": {
			"clientId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
			"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
		}
	}
}

03 Repeat steps no. 1 and 2 for each Azure Function App that you want to configure, available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023