AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

[Preview]: Managed Identity Federated Credentials should be from allowed issuer types

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Preview]: Managed Identity Federated Credentials should be from allowed issuer types

2571b7c3-3056-4a61-b00a-9bc5232234f5

Version

1.0.0-preview
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]

Category

Managed Identity
Microsoft Learn

Description

This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Mode

All

Type

BuiltIn

Preview

True

Deprecated

False

Effect

Default
Audit
Allowed
Audit, Disabled, Deny

RBAC role(s)

none

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/issuer	Microsoft.ManagedIdentity	userAssignedIdentities/federatedIdentityCredentials	properties.issuer	True		False

Rule resource types

IF (1)

Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials

Compliance

The following 1 compliance controls are associated with this Policy definition '[Preview]: Managed Identity Federated Credentials should be from allowed issuer types' (2571b7c3-3056-4a61-b00a-9bc5232234f5)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
Azure_Security_Benchmark_v3.0	IM-3	Azure_Security_Benchmark_v3.0_IM-3	Microsoft cloud security benchmark IM-3	Identity Management	IM-3 Manage application identities securely and automatically	Shared	Security Principle: Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credential to ensure the security of the identities. Azure Guidance: Use Azure managed identities, which can authenticate to Azure services and resources that support Microsoft Entra ID authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. For services that don't support managed identities, use Microsoft Entra ID to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. Implementation and additional context: Azure managed identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview Services that support managed identities for Azure resources: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Azure service principal: https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps Create a service principal with certificates: https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell	n/a	link	15

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov
[Preview]: Managed Identity Federated Credentials should be of approved types from approved federation sources	5e4ee281-95a3-442a-bb2a-5ef68cf5181a	Managed Identity	Preview	BuiltIn	unknown
[Preview]: Microsoft cloud security benchmark v2	e3ec7e09-768c-4b64-882c-fcada3772047	Security Center	Preview	BuiltIn	unknown

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2023-04-06 17:42:16	add	2571b7c3-3056-4a61-b00a-9bc5232234f5

JSON compare

n/a

JSON

api-version=2021-06-01
EPAC