Cyscale
Back to controls

Ensure Managed Identities Are Used for Function Apps

Managed identities let Azure Function Apps access Azure resources without storing client secrets, passwords, or long-lived credentials in app settings. A function without managed identity is more likely to rely on static credentials, which increases the impact of configuration disclosure, log leakage, and source-code exposure.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

Managed identities let Azure Function Apps access Azure resources without storing client secrets, passwords, or long-lived credentials in app settings. A function without managed identity is more likely to rely on static credentials, which increases the impact of configuration disclosure, log leakage, and source-code exposure.

Use a system-assigned identity for one-to-one lifecycle binding with the Function App, or a user-assigned identity when the same workload identity must be shared deliberately across apps.

Remediation guidance

Remediation

Enable a managed identity for the Function App and migrate dependent Azure resource access away from static credentials. Grant only the minimum roles required by the function.

Azure CLI

Enable a system-assigned managed identity:

az functionapp identity assign \
  --resource-group {{asset.azureResourceGroup}} \
  --name {{asset.name}}

Capture the assigned principal ID for role assignment planning:

az functionapp identity show \
  --resource-group {{asset.azureResourceGroup}} \
  --name {{asset.name}} \
  --query principalId \
  --output tsv

Grant least-privilege access to the required resource scope. Replace {{manual.roleName}} and {{manual.scope}} with the approved role and resource scope.

az role assignment create \
  --assignee-object-id {{manual.principalId}} \
  --assignee-principal-type ServicePrincipal \
  --role "{{manual.roleName}}" \
  --scope "{{manual.scope}}"

Rollout guidance

  1. Inventory app settings and Key Vault references used by the function.
  2. Replace secrets with managed identity authentication in SDKs or service clients.
  3. Remove obsolete secrets after successful deployment and monitor for authentication failures.
  4. Prefer narrow data-plane roles over broad subscription-level roles.

References

  • https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
  • https://learn.microsoft.com/en-us/cli/azure/functionapp/identity

Query logic

These are the stored checks tied to this control.

Azure Function Apps without managed identity

Connectors

Microsoft Azure

Covered asset types

FunctionApp

Expected check: eq []

{
  functionApps(where: { managedIdentities_NONE: {} }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon