ALZ-Bicep icon indicating copy to clipboard operation
ALZ-Bicep copied to clipboard
verified publisher icon Azure

Question - how to handle inactive managed identities deployed by ALZ-Bicep

Open MarcoJanse opened this issue 1 year ago • 6 comments

Let us know the feedback or general question

I am looking for some guidance in the documentation to handle inactive identities created by ALZ-Bicep for remediating policies as they pop up in the Defender for Cloud recommendations as inactive identities.

When I deploy all the custom policy assignments from ALZ-Bicep, a lot of system managed identities are created to remediate these policies. However, Defender for Cloud reports a lot of these identities as medium severity: Permissions of inactive identities in your Azure subscription should be revoked. Some are even marked as critical, due to it's assigned permissions. This alert gets triggered according to this description in Defender for Cloud:

Microsoft Defender for Cloud discovered an identity that has not performed any action on any resource within your Azure subscription in the past 45 days. It is recommended to revoke permissions of inactive identities, in order to reduce the attack surface of your cloud environment.

Some of these identities are not used at the moment, as I don't have these type of resources deployed in my Landing Zone, but this could always change in the future. Others I haven't needed to remediate anything the past 45 days, but might be needed again in the future.

For example: the system managed identity Deploy-VMSS-Monitoring is deployed by a policy definition and creates a system managed identity, but is never used.

I suppose removing these permissions would remediate the issue or I could make exemptions for all these identities, but I'm looking for some best practice guidance on this matter.

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

MarcoJanse avatar Nov 11 '24 13:11 MarcoJanse

Hi @MarcoJanse,

The managed identities used by Deploy-VMSS-Monitoring and other monitoring assignments, along with Change Tracking and MDFC Defender SQL, are specifically utilized to configure the Azure Monitoring Agent (AMA).

Based on your response, it sounds like the primary recommendation you’re seeing is: Permissions of inactive identities in your Azure subscription should be revoked, with this secondary one: Azure Security Recommendation Details.

For the subscriptions where you're receiving these recommendations, I assume there are no virtual machines, virtual machine scale sets, or SQL virtual machines, which would align with what you're seeing. Alternatively, it could be that these resources are already configured for AMA and are simply in a standby state. Would you mind confirming if either of those scenarios align with your subscriptions?

oZakari avatar Nov 12 '24 04:11 oZakari

Sorry for the delay. Your assumption is partly correct. I have indeed no Virtual Machines scale sets in these subscriptions, so the Deploy-VMSS-Monitoring managed identity is currently not used. However, I also seem to be getting these alerts on managed identities that have been inactive for more than 45 days, as there was nothing to remediate for resources I do have.

I hope this helps.

MarcoJanse avatar Nov 18 '24 20:11 MarcoJanse

Hi @MarcoJanse, thank you for the clarification. Since the identities are necessary for the policies to configure the Azure Monitoring Agent at scale, they will need to remain in place unless you’d prefer to utilize a different approach for associating the applicable resources with the data collection rules by potentially running scripts on a schedule

Alternatively, you could add an exemption for the MDFC to account for these specific policy-related identities. While the MDFC recommendations are advisory, the identities have a valid use case—they are in place to support new resources as they come online.

Regarding the privileged identities recommendations you've received, we can explore options to address this by either creating custom roles tailored to the required permissions or identifying a built-in role with fewer privileges (if available) to better align with the principle of least privilege.

@arjenhuitema please provide any additional context if needed.

oZakari avatar Nov 22 '24 17:11 oZakari

Closing as not planned for the time being. If we get additional requests, we can bring this back up for discussion.

oZakari avatar Apr 22 '25 22:04 oZakari

@oZakari @MarcoJanse I am experiencing the same issues. Do you have a solution to automate exclude/exempt these identities for the CIEM/Entra Permission Management policies at scale? As far as I know this can only be done in the Azure Portal and not via code (AzureCLI, Bicep etc.).

Since we have a lot of subscriptions (80+) and approximately about 20-40 (managed) identities that need to be excluded from each subscription because of false positives for one of the CIEM policies. That would be 800+ clicks to achieve this which is unworkable.

I found the Bicep API for Microsoft.Security.standardAssignments: Microsoft.Security/standardAssignments - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn

However it does not seem possible to specify the identities that apply for the exemption/standard assignment via Bicep. In the Azure Portal these are referred as identity conditions see below.

Image

neok-g avatar Oct 22 '25 09:10 neok-g

Hi @neok-g, thanks for sharing your experience as well. Have discussed this internally and will be looking into options to setup the exclusions at scale.

oZakari avatar Oct 27 '25 19:10 oZakari