Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

AzureResourceManager static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your AZURERESOURCEMANAGER code

Disabling Managed Identities for Azure resources is security-sensitive

intentionality - complete

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Disabling Managed Identities can reduce an organization’s ability to protect itself against configuration faults and credential leaks.

Authenticating via managed identities to an Azure resource solely relies on an API call with a non-secret token. The process is inner to Azure: secrets used by Azure are not even accessible to end-users.

In typical scenarios without managed identities, the use of credentials can lead to mistakenly leaving them in code bases. In addition, configuration faults may also happen when storing these values or assigning them permissions.

By transparently taking care of the Azure Active Directory authentication, Managed Identities allow getting rid of day-to-day credentials management.

Ask Yourself Whether

The resource:

Needs to authenticate to Azure resources that support Azure Active Directory (AAD).
Uses a different Access Control system that doesn’t guarantee the same security controls as AAD, or no Access Control system at all.

There is a risk if you answered yes to all of those questions.

Recommended Secure Coding Practices

Enable the Managed Identities capabilities of this Azure resource. If supported, use a System-Assigned managed identity, as:

It cannot be shared across resources.
Its life cycle is deeply tied to the life cycle of its Azure resource.
It provides a unique independent identity.

Alternatively, User-Assigned Managed Identities can also be used but don’t guarantee the properties listed above.

Sensitive Code Example

Using ARM templates:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2022-09-01-preview",
            "name": "apiManagementService"
        }
    ]
}

Using Bicep:

resource sensitiveApiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
  name: 'apiManagementService'
  // Sensitive: no Managed Identity is defined
}

Compliant Solution

Using ARM templates:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2022-09-01-preview",
            "name": "apiManagementService",
            "identity": {
                "type": "SystemAssigned"
            }
        }
    ]
}

Using Bicep:

resource sensitiveApiManagementService 'Microsoft.ApiManagement/service@2022-09-01-preview' = {
  name: 'apiManagementService'
  identity: {
    type: 'SystemAssigned'
  }
}

See

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted