Governance Policies Azure Identity Managed Identity - Azure/az-prototype GitHub Wiki

Managed Identity

Governance policies for Managed Identity

Domain: azure-identity

Patterns

Name Description
User-Assigned Managed Identity with RBAC Create identity and assign roles to target resources using deterministic names

Anti-Patterns

Description Instead
Do not use system-assigned identity when multiple resources need shared access Use user-assigned managed identity shared across the application boundary
Do not use newGuid() for role assignment names Use guid() with deterministic seeds: guid(resourceId, identityId, roleDefId)
Do not create multiple identities for tightly coupled services in the same app Share one user-assigned identity per logical application

References

Checks (4)

Check Severity Description
AZ-MI-001 Required Create User-Assigned Managed Identity for shared identity across services
AZ-MI-002 Required Use deterministic names for RBAC role assignments using uuidv5
AZ-MI-003 Required Always output client_id and principal_id from the identity module
AZ-MI-004 Recommended Create one identity per logical application boundary

AZ-MI-001

Create User-Assigned Managed Identity for shared identity across services

Severity: Required
Rationale: User-assigned identities can be shared across multiple resources and survive resource recreation
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.ManagedIdentity/userAssignedIdentities

AZ-MI-002

Use deterministic names for RBAC role assignments using uuidv5

Severity: Required
Rationale: Role assignment names must be GUIDs; uuidv5 generates deterministic UUIDs from a namespace + name, ensuring idempotent deployments
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.ManagedIdentity/userAssignedIdentities

AZ-MI-003

Always output client_id and principal_id from the identity module

Severity: Required
Rationale: Downstream resources need both IDs: client_id for SDK configuration, principal_id for RBAC assignments
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.ManagedIdentity/userAssignedIdentities

AZ-MI-004

Create one identity per logical application boundary

Severity: Recommended
Rationale: Sharing identity across all services simplifies RBAC management while maintaining security boundaries per application
Agents: cloud-architect

Targets

  • Microsoft.ManagedIdentity/userAssignedIdentities
⚠️ **GitHub.com Fallback** ⚠️