Automation - Is there any chance that the Managed Identities in Container Apps being monitored?

Question

Just wondering if possible to monitor the System-assigned or User-assigned activity. For example if System-assigned manually OFF then email alert will trigger.

By this automation the users will be monitored on changing the identity settings of an App. Thank you!

The perfect alert messages like below is what i want to fetch.

Answer 1

Alternatively, you can use a PowerShell script with an automation account to trigger the alert based on the container app's identity status.

In order to send the mail through identity authentication, make sure to provide the required permissions to the automation account identity by following the Stack link, and also assign the Contributor role to fetch the container app details.

Note: In this method, you will receive the mail every 1 hour, or you can set the time period in the automation account according to your requirement to run the script

Connect-AzAccount -Identity
$subscriptionId = "Sub-ID"
Set-AzContext -SubscriptionId $subscriptionId

# Get all Container Apps in the resource group
$containerApps = Get-AzContainerApp

# Loop through each container app and check the identity status
foreach ($containerApp in $containerApps) {
    $emailSubject = ""
    $emailBody = ""

    # Retrieve the last modified details
    $lastModifiedBy = $containerApp.SystemDataLastModifiedBy
    $lastModifiedAt = $containerApp.SystemDataLastModifiedAt

    # Check if identity is enabled or not
    if ($containerApp.IdentityType -eq 'SystemAssigned') {
        # Identity is enabled
        $emailSubject = "Container app named $($containerApp.Name) Identity has been Enabled"
        $emailBody = "The container app: $($containerApp.Name) System identity has been enabled.`n"
        $emailBody += "Last Modified By: $lastModifiedBy`n"
        $emailBody += "Last Modified At: $lastModifiedAt"
    } elseif ($containerApp.IdentityType -eq 'None') {
        # Identity is disabled
        $emailSubject = "Container app named $($containerApp.Name) Identity has been Disabled"
        $emailBody = "The container app: $($containerApp.Name) System identity has been disabled.`n"
        $emailBody += "Last Modified By: $lastModifiedBy`n"
        $emailBody += "Last Modified At: $lastModifiedAt"
    } else {
        # Unknown identity type, just skip and continue to next app
        Write-Host "$($containerApp.Name) - Unknown identity type."
        continue
    }

    # Connect to Microsoft Graph
    Connect-MgGraph -Identity

    # Define sender and recipient email addresses
    $senderAddress = "Sender Email ID"
    $recipientAddress = "Receiver Email ID"

    # Define the email body type
    $type = "Text" 

    # Set up email parameters
    $params = @{
        Message         = @{
            Subject       = $emailSubject
            Body          = @{
                ContentType = $type
                Content     = $emailBody
            }
            ToRecipients  = @(
                @{
                    EmailAddress = @{
                        Address = $recipientAddress
                    }
                }
            )
        }
    }

    # Send the email
    Send-MgUserMail -UserId $senderAddress -BodyParameter $params
}

Attach the runbook to the scheduler to run the script based on the recurring time period. In my case, I selected every 1 hour, so the script will run every 1 hour, and the alert will trigger

Receive an alert if there are any changes to the container app's system-managed identity, along with the details, every 1-hour time period

Container app identity status.

Sent mail with container app details

If you want to trigger the automation every second, you can use Logic Apps to trigger the automation account by following the stack link.