Azure MSI & Policy Governance

Last few weeks I have been really pushing customers to use Azure Managed Service Identity (MSI) as much as possible, assuming the MSI capability exists with the Azure service. Note, not all Azure services support MSI’s today, however for the most part all services do support the traditional Service Principal (SP).

If are are unclear what the difference is between an SP and MSI is, I would welcome you to visit the following link HERE.

With that said, how do we ensure as services are deployed and are leveraging MSIs and not SPs? Azure Policy! Simple right? Yes, it really is. Below is a list of policies that exist today, however this list will continue to grow as more Azure services incorporate MSIs. And of course, if you’re willing, you can always create your own custom policy to ensure the Azure service is using an MSI. Note, the policies availability and the Azure services that support MSIs, is not 1:1. There are more services that support MSIs, than the out of the box policies that support MSIs today. If you are not willing to wait for Microsoft to push out new policies, then you should go ahead and create your own.

Once you have selected the policy, enabled/enforced it, you can now track to see if (for example, Azure Function), if a new Function is deployed and it is not using an MSI, it will be flagged, or you can go further and reject the deployment if it is not using an MSI.

Below is a link that provides which Azure services support MSI’s as of today. Note, this list will only continue to grow. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.