azureazure-managed-identityazure-policyazure-compliance-policy

Create Remediation Task is Greyed Out on Managed Identity ACA built-in policy

enter image description here

Unable to Create Remediation Task on managed identity ACA built in policy. Although compliance state is working fine on all resources. Need to remediate non compliant resources. The question is, do Remediation applicable on managed identity built-in policy? See image above thank you!

Solution

  • To enable System Managed Identity, since there is no built-in policy for this, you need to create a custom policy

    Alternatively, you can also achieve the same requirement of enabling system-managed identity in container apps using PowerShell with an automation account. This way, it will automatically enable the identity for the container if it's not already enabled.

    1.Go to portal > automation account > Create an Automation Account

    1. Create a runbook with type powershell

    enter image description here

    1. Open Runbook > Edit in Portal > add below script and click on Publish

    Note: The automation Identity must have the Contributor role assigned to enable the System Managed Identity in container apps.

       az login --identity
  $containerApps = az containerapp list --query "[].{Name:name, ResourceGroup:resourceGroup, Identity:identity}" | ConvertFrom-Json
    
    foreach ($app in $containerApps) {
        $appName = $app.Name
        $resourceGroup = $app.ResourceGroup
        $identity = $app.Identity
    
        Write-Output "Processing container app: $appName in resource group: $resourceGroup"
    
        # Check if the app has a system-assigned identity
        if (-not $identity -or $identity.type -eq "None") {
            Write-Output "System-assigned identity is not enabled for $appName. Enabling identity now..."
            az containerapp identity assign --name $appName --resource-group $resourceGroup --system-assigned
            Write-Output "System-assigned identity enabled successfully for $appName."
        } else {
            Write-Output "System-assigned identity is already enabled for $appName."
        }
    }

    Output:

    enter image description here

    You can schedule the runbook to execute a script every day at 5 PM, so it will check all container apps and automatically enable the identity if it's not enabled.

    1. Schedules the runbook > add a schedule > link schedule to yrunbookbook > Create.

    enter image description here

    Output

    After running the runbook, The Identity has been enabled in all container apps.

    enter image description here

    Reference: Stack link