Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
Feature Request: Missing Azure Policy Alias for identity.userAssignedIdentities on Microsoft.Web/sites
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 60%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Art Groeneveld
0
Reputation points
Description: We are implementing a security architecture that requires a 1:1 mapping between Web/Function Apps (and eventually other resources) and User Assigned Identities to ensure the idempotency of Infrastructure-as-Code (Bicep/ARM) deployments.
The Problem: We cannot use System Assigned Managed Identities because their Principal ID changes upon resource recreation. This breaks idempotent role assignments, leading to RoleAssignmentUpdateNotPermitted errors when the role assignment name (GUID) remains deterministic but the Principal ID is updated. We cannot use the System Assigned Managed Identity in the GUID in the Bicep Script as it is not known beforehand. The user managed identities also have their advantages in cleaning up dangling role assignments.
The Request: To enforce our "User Assigned Only" architecture via governance, we need to validate the specific Identity ID/Name attached to a resource. However, the Microsoft.Web provider (resource types sites and staticSites) does not currently expose a policy alias for the identity.userAssignedIdentities property.
We request that a policy alias (supporting the [*] operator) be added for identity.userAssignedIdentities on the Microsoft.Web/sites resource type, similar to the functionality already available for Microsoft.Compute/virtualMachines. This is necessary for maintaining idempotent, identity-based permissions in enterprise environments
Thanks in advance, best regards, Art
Azure Policy
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBY%3C/text%3E%3C/svg%3E)
Bharath Y P 4,135 Reputation points Microsoft External Staff Moderator2026-01-28T09:50:34.0533333+00:00 Hello Art Groeneveld, we understand that you're working to enhance your security architecture by ensuring a 1:1 mapping between your applications and user-assigned identities. You’re facing challenges with Azure Policy as the
identity.userAssignedIdentitiesproperty for theMicrosoft.Web/sitesresource does not currently have a corresponding alias to help enforce your architecture.As you've pointed out, using a system-assigned managed identity is problematic due to its changing Principal ID on resource recreation, complicating role assignments. Therefore, applying governance to strictly enforce user-assigned identities requires the ability to validate identity assignments against your policies.
If you wish, you may also leave your feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
Hope this Helps, if you need further clarification or assistance, please reach out to us. Thanks
-
Bharath Y P 4,135 Reputation points Microsoft External Staff Moderator
2026-01-29T10:00:20.8466667+00:00 Hello Art Groeneveld, I just wanted to kindly follow up to check if you had a chance to review my earlier response. I hope the information shared was helpful. Please feel free to reach out if you have any additional questions or need further clarification. If the answer addressed your query, it would be great if you could accept it and up-vote. This not only helps us but also makes it easier for other community members who might face the same issue.Thanks
-
Bharath Y P 4,135 Reputation points Microsoft External Staff Moderator
2026-01-30T19:02:33.48+00:00 Hello Art Groeneveld, I just wanted to kindly follow up to check if you had a chance to review my earlier response. I hope the information shared was helpful. Please feel free to reach out if you have any additional questions or need further clarification. If the answer addressed your query, it would be great if you could accept it and up-vote. This not only helps us but also makes it easier for other community members who might face the same issue. Thanks
-
Art Groeneveld 0 Reputation points
2026-01-31T18:13:20.2066667+00:00 Hi, @Bharath Y P sorry for late reply, I am not as much interested in checking for a User Managed Identity just like that. What I am looking for is a way to Audit or Enforce that that created User Managed Identity will not be reused amongst resources. Somehow in Azure sponsored subscriptions one can only post in Q&A (or feedback)....
-
Bharath Y P 4,135 Reputation points Microsoft External Staff Moderator
2026-02-03T00:42:36.8133333+00:00 Hello Art Groeneveld, Thanks for the update, you want to enforce uniqueness of User Assigned Managed Identities (UAMIs) across resources. i.e., each of User Assigned Managed Identities can only be assigned to one resource at a time. This is more than use of User Assigned Managed Identities or ‘check identity exists’, it’s a global 1:1 constraint.Even if
identity.userAssignedIdentities[*]aliases existed forMicrosoft.Web/sites:Azure Policy is resource-scoped: it evaluates one resource at a time.
You cannot count references to a UAMI across all resources in the subscription/tenant.
A global uniqueness rule like “this identity is assigned to only one resource” is not expressible in policy alone.
So policy can audit or deny incorrect assignments within a resource but cannot enforce cross-resource uniqueness.
-
Art Groeneveld 0 Reputation points
2026-02-03T12:36:42.74+00:00 Ok, sorry, I thought one could use the User Managed Identity as a starting point and validate it's used only once (or even is dangling).
-
Bharath Y P 4,135 Reputation points Microsoft External Staff Moderator
2026-02-03T23:33:15.82+00:00 Hello Art Groeneveld, I hope the information shared was helpful. if you have any additional questions or need further clarification, Please do let us know, thanks
-
Bharath Y P 4,135 Reputation points Microsoft External Staff Moderator
2026-02-05T01:02:16.6633333+00:00 Hello Art Groeneveld, I hope the information shared was helpful. if you have any additional questions or need further clarification, Please do let us know, thanks
Sign in to comment
Sign in to answer