Custom Deny Policy for WebApps without a Managed Identity configured

RJS 0 Reputation points
2023-09-15T13:40:50.22+00:00

When trying to author a custom policy which should deny any App Service (function/webapp) from being created or modified without a managed identity I am seeing issues when modifying any parameters within the App Service "Configuration" blade.

The custom policy is copied from similar built-in Deny policies with the same intention, for other Azure services:

"policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites"
              },
              {
                "anyOf": [
                  {
                    "field": "identity.type",
                    "exists": "false"
                  },
                  {
                    "field": "identity.type",
                    "equals": "None"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }

*Note - the policy has the "anyOf" block here because I was originally testing with other services but shortened the policy for testing when I noticed this issue

The policy works as expected in that I am unable to create a new App Service without specifying a System/User Assigned Identity. I am also unable to remove the managed identity so this works well.

The problem arises when i try to modify any properties of my app services under the Configuration blade. For example - adding a new application setting is denied by the above policy, changing my deployment settings or HTTP version is also denied. This makes the above policy impossible to implement as users will be unable to work with App Services.

Has anyone come across the same? Is this the reason why there is no Built-In policy to deny this in the first place or is it just a bug with way configuration changes are handled by the Microsoft.Web API?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
688 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
5,649 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jesse Loudon 326 Reputation points MVP
    2023-09-18T12:26:57.6133333+00:00

    With the possibility that this is a bug with the resource provider, to get an official response from the team you can log an issue here against their GitHub repo: https://github.com/Azure/azure-policy/issues

    As you mention there is no existing built-in policy to deny or even deploy/modify a managed identity for this resource type so there could be an underlying limitation as you've discovered.

    This builtin I found uses an AuditIfNotExists effect. https://www.azadvertizer.net/azpolicyadvertizer/2b9ad585-36bc-4615-b300-fd4435808332.html

    {
  "displayName": "App Service apps should use managed identity",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Use a managed identity for enhanced authentication security",
  "metadata": { "version": "3.0.0", "category": "App Service" },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": ["AuditIfNotExists", "Disabled"],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        { "field": "type", "equals": "Microsoft.Web/sites" },
        { "field": "kind", "notContains": "functionapp" }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Web/sites/config",
        "name": "web",
        "existenceCondition": {
          "anyOf": [
            {
              "field": "Microsoft.Web/sites/config/managedServiceIdentityId",
              "exists": "true"
            },
            {
              "field": "Microsoft.Web/sites/config/xmanagedServiceIdentityId",
              "exists": "true"
            }
          ]
        }
      }
    }
  }
}

    Similar story with this builtin, also uses AuditIfNotExists effect https://www.azadvertizer.net/azpolicyadvertizer/0da106f2-4ca3-48e8-bc85-c638fe6aea8f.html

    {
  "displayName": "Function apps should use managed identity",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Use a managed identity for enhanced authentication security",
  "metadata": { "version": "3.0.0", "category": "App Service" },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": ["AuditIfNotExists", "Disabled"],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        { "field": "type", "equals": "Microsoft.Web/sites" },
        { "field": "kind", "contains": "functionapp" },
        { "field": "kind", "notContains": "workflowapp" }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Web/sites/config",
        "name": "web",
        "existenceCondition": {
          "anyOf": [
            {
              "field": "Microsoft.Web/sites/config/managedServiceIdentityId",
              "exists": "true"
            },
            {
              "field": "Microsoft.Web/sites/config/xmanagedServiceIdentityId",
              "exists": "true"
            }
          ]
        }
      }
    }
  }
}
    0 comments