Azure SystemAssigned managed identity not being set by bicep deploy
I'm trying to configure an Azure App Service to use a SystemAssigned managed identity to facilitate access to a SQL Server resource using Bicep.
However, after deploying to Azure, the status of System assigned identity is set to Off (as shown in screenshot below).
The Bicep resource definition is as follows, with the identity type set to SystemAssigned:
resource appService 'Microsoft.Web/sites@2022-09-01' = {
name: appServiceName
location: location
tags: tagValues
kind: 'app,migration'
identity: {
type: 'SystemAssigned'
}
properties: {
clientAffinityEnabled: true
clientCertEnabled: false
clientCertMode: 'Required'
containerSize: 0
dailyMemoryTimeQuota: 0
enabled: true
hostNamesDisabled: false
hostNameSslStates: [
// ...
]
httpsOnly: true
hyperV: false
isXenon: false
keyVaultReferenceIdentity: 'SystemAssigned'
redundancyMode: 'None'
reserved: false
scmSiteAlsoStopped: false
serverFarmId: appServicePlan.id
siteConfig: {
numberOfWorkers: 1
acrUseManagedIdentityCreds: false
alwaysOn: true
functionAppScaleLimit: 0
http20Enabled: false
minimumElasticInstanceCount: 0
}
storageAccountRequired: false
vnetContentShareEnabled: false
vnetImagePullEnabled: false
vnetRouteAllEnabled: false
}
}
I know there exists a similar issue when the cloningInfo property is set, but this isn't the case here.
Am I missing something or should I raise this with Microsoft?
While enabling system managed identity for an app service there are certain limitations. In your case, enabling alwaysOn property might not be supported with all the app services which are being deployed in a respective app service plan.
Ascertain that the App Service Plan to which your App Service is deployed is set up to enable System Assigned Managed Identity. This feature requires the use of a Premium, Isolated, or Elastic Premium service plan.
And also check the Azure Resource Provider for Managed Identity. It may not be registered in certain cases. Use below command to check the status.
Get-AzResourceProvider -ProviderNamespace "Microsoft.ManagedIdentity"
As previously mentioned, the app service plan I've been utilizing has a conflict with the alwaysOn property. After modifying your code in below manner, I was able to successfully deploy it after disabling it.
var webAppName = 'jhwebbla'
var appServicePlanName = toLower('AppServicePlan-${webAppName}')
param location string = resourceGroup().location
resource appServicePlan 'Microsoft.Web/serverfarms@2020-06-01' = {
name: appServicePlanName
location: location
properties: {
reserved: true
}
sku: {
name: 'F1'
}
kind: 'app'
}
resource appService 'Microsoft.Web/sites@2022-09-01' = {
name: webAppName
location: location
kind: 'app,migration'
identity: {
type: 'SystemAssigned'
}
properties: {
clientAffinityEnabled: true
clientCertEnabled: false
clientCertMode: 'Required'
containerSize: 0
dailyMemoryTimeQuota: 0
enabled: true
hostNamesDisabled: false
hostNameSslStates: [
// ...
]
httpsOnly: true
hyperV: false
isXenon: false
keyVaultReferenceIdentity: 'SystemAssigned'
redundancyMode: 'None'
reserved: false
scmSiteAlsoStopped: false
serverFarmId: appServicePlan.id
siteConfig: {
numberOfWorkers: 1
acrUseManagedIdentityCreds: false
//alwaysOn: true
functionAppScaleLimit: 0
http20Enabled: false
minimumElasticInstanceCount: 0
}
storageAccountRequired: false
vnetContentShareEnabled: false
vnetImagePullEnabled: false
vnetRouteAllEnabled: false
}
}
Deployment succeeded:
