Skip to content

Web App has registration with AD enabled

Default Severity: low

Explanation

Registering the identity used by an App with AD allows it to interact with other services without using username and password

Possible Impact

Interaction between services can't easily be achieved without username/password

Suggested Resolution

Register the app identity with AD

Insecure Example

The following example will fail the azure-appservice-account-identity-registered check.

 resource "azurerm_app_service" "bad_example" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id
 }

Secure Example

The following example will pass the azure-appservice-account-identity-registered check.

 resource "azurerm_app_service" "good_example" {
   name                = "example-app-service"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name
   app_service_plan_id = azurerm_app_service_plan.example.id

   identity {
     type = "UserAssigned"
     identity_ids = "webapp1"
   }
 }