I am hosting IIS on Azure Windows VM and need to configure Service account for IIS Application pool identity. What approach can I use for this? Is it possible to use AAD Managed identity or service principal for IIS Application pool identity?
According to microsoft docs : The Windows operating system provides a feature called "virtual accounts" that allows IIS to create a unique identity for each of its application pools. For more information about virtual accounts, see Service Accounts Step-by-Step Guide.
If you are running IIS 7.5 on Windows Server 2008 R2, or a later version of IIS, you don't have to do anything to use the new identity. set ApplicationPoolIdentity by default. The IIS Admin Process (WAS) will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default.
To use this virtual account when running IIS 7.0 on Windows Server 2008, you have to change the Identity property of an application pool that you create to ApplicationPoolIdentity. Please check this reference: Application Pool Identities | Microsoft Docs
You must be a member of the Administrators group on the local computer to perform the following procedures.And for AAD make sure to do active directory sync to connect to local AD.
- Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Double-click , double-click Application Pools, right-click , and click Advanced Settings.
- In the Identity box, click ApplicationPoolIdentity.
- Under Application Pool Tasks, click Stop, and then click Start. Reference : Service Accounts Step-by-Step Guide-o configure an IIS app lication pool to use a virtual account | Microsoft Docs