Share via

How can I change the identity of the IIS application pool to Local System for an application deployed on Azure App Service

Liuchunyu03 (BYS) 20 Reputation points
2023-09-22T03:39:37.8566667+00:00

Hi there,

Is there any way to change IIS application pool Identity to Local System that deployed on Azure App Service?

Thanks

Chunyu

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,749 questions
Microsoft Configuration Manager Application
Microsoft Configuration Manager Application
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Application: A computer program designed to carry out a specific task other than one relating to the operation of the computer itself, typically to be used by end users.
461 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,047 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 79,076 Reputation points
    2023-09-22T04:51:44.4+00:00

    Hi Chunyu,

    If you run your web app in windows container, you may be able to modify the container so that the application pool runs under LocalSystem. For example, you would download one of the windows server container images, run it on your machine, use powershell to change app pool identity to run as LocalSystem, commit changes, upload image to Azure Container Registry, then use this image for your Web App.

    Configure a custom container for Azure App Service

    https://learn.microsoft.com/en-us/azure/app-service/configure-custom-container?tabs=debian&pivots=container-windows

    Below article documents processModel.identityType, which is what would need to be modified to 0 for LocalSystem:

    https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/processmodel#configuration

    Something like : Set-ItemProperty IIS:\AppPools\DefaultAppPool -Name processModel.identityType -Value 0

    I've not tested the above customizations, so you would need to give it a try.

    When not running in container, App Service Web apps run in a sandbox and has very restricted access to their environment. You definitely would not be able to run under Local System when running in sandbox.

    Please click Accept Answer if the above was helpful.

    Thanks.

    -TP

    0 comments
  2. brtrach-MSFT 15,356 Reputation points Microsoft Employee
    2023-09-25T03:04:42.4066667+00:00

    @Liuchunyu03 (BYS) To add to the great answer TP shared, I am sharing a second method.

    To change the identity of the IIS application pool to Local System for an application deployed on Azure App Service, you can follow the below steps:

    1. Open the Azure portal and navigate to your App Service.
    2. Click on the "Configuration" blade.
    3. Scroll down to the "Application settings" section and click on "New application setting".
    4. In the "Name" field, enter "WEBSITE_RUN_FROM_PACKAGE".
    5. In the "Value" field, enter "1".
    6. Click on "Save" to save the new application setting.
    7. Restart your App Service.

    After restarting your App Service, the IIS application pool identity will be set to Local System.

    Please note that changing the IIS application pool identity to Local System is not recommended for security reasons. It is recommended to use a custom identity with the least privileges required for your application to function properly.

    0 comments