Skip to main content
Back to the Azure Footguns Database
SecurityGovernanceLowCommonAZF-0089

An App Service with no managed identity runs on secrets that leak, sprawl, and never expire

An App Service without a managed identity authenticates to databases, storage, and Key Vault with connection strings and keys in app settings — a whole credential class Azure would let you delete.

Footgun ID
AZF-0089 (Azure Footgun No. 89)
Azure service
Azure App Service
Resource type
Microsoft.Web/sites
Updated
July 9, 2026

What it is

An App Service or Function App with no managed identity assigned (identity.type is None or missing entirely). The app still talks to SQL, Storage, Key Vault, and every other backend — it just does it with connection strings and account keys stored in app settings. A managed identity is a free Entra ID identity Azure runs for the app, and its absence is a reliable signal that credentials are living in configuration instead.

Impact (security)
Every downstream connection is a copyable long-lived secret; one leaked connection string is full data-plane access with no identity attached
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

A managed identity is opt-in. New App Services are created without one, every quickstart that pastes a connection string into app settings works on the first try, and the app never breaks in a way that forces the question. So the secret-based wiring that got the first deployment working becomes the permanent architecture.

The trap is that secrets in app settings feel contained but aren't. Anyone with control-plane read access to the site's configuration can list them, they get copied into CI variables and local .env files, and account keys don't expire on their own. Rotation means chasing every copy, so rotation quietly stops happening.

What it costs / blast radius

There is no direct Azure cost here — managed identities are free, and this entry costs you nothing on the bill. The harm is the credential class itself. (Azure behavior; authored assessment.)

A leaked storage connection string or SQL password is full data-plane access from anywhere, with no identity behind it: no conditional access, no MFA, and an audit log that shows the app's key was used, not who used it. Every backend the app touches multiplies the copies in configs, pipelines, and laptops. Assigning a managed identity and switching to Entra ID auth doesn't just harden one connection — it removes the entire category of "secret someone can copy" for that app.

See it

Footgun: no identity block, so an account key rides along in app settings
resource app 'Microsoft.Web/sites@2024-04-01' = {
  name: 'corp-api'
  location: location
  // no identity block — the app has no Entra ID identity of its own
  properties: {
    serverFarmId: plan.id
    siteConfig: {
      appSettings: [
        {
          name: 'STORAGE_CONNECTION_STRING'
          value: 'DefaultEndpointsProtocol=https;AccountName=corpdata;AccountKey=...'
        }
      ]
    }
  }
}
Fix: system-assigned identity + an RBAC role; code switches to DefaultAzureCredential
resource app 'Microsoft.Web/sites@2024-04-01' = {
  name: 'corp-api'
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: plan.id
  }
}

// Grant the identity data-plane access instead of shipping a key.
// (Storage Blob Data Contributor shown; scope to what the app needs.)
resource blobAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: storage
  name: guid(storage.id, app.id, 'blob-data-contributor')
  properties: {
    principalId: app.identity.principalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
    )
  }
}

How StratoLens helps

StratoLens flags every App Service and Function App running without a managed identity, automatically and continuously, across every subscription — inside your own tenant. The apps still wired up with connection strings stop being something you find one incident at a time.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.