Azure SystemAssigned managed identity not being set by bicep deploy

Question

I'm trying to configure an Azure App Service to use a SystemAssigned managed identity to facilitate access to a SQL Server resource using Bicep.

However, after deploying to Azure, the status of System assigned identity is set to Off (as shown in screenshot below).

The Bicep resource definition is as follows, with the identity type set to SystemAssigned:

resource appService 'Microsoft.Web/sites@2022-09-01' = {
  name: appServiceName
  location: location
  tags: tagValues
  kind: 'app,migration'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    clientAffinityEnabled: true
    clientCertEnabled: false
    clientCertMode: 'Required'
    containerSize: 0
    dailyMemoryTimeQuota: 0
    enabled: true
    hostNamesDisabled: false
    hostNameSslStates: [
      // ...
    ]
    httpsOnly: true
    hyperV: false
    isXenon: false
    keyVaultReferenceIdentity: 'SystemAssigned'
    redundancyMode: 'None'
    reserved: false
    scmSiteAlsoStopped: false
    serverFarmId: appServicePlan.id
    siteConfig: {
      numberOfWorkers: 1
      acrUseManagedIdentityCreds: false
      alwaysOn: true
      functionAppScaleLimit: 0
      http20Enabled: false
      minimumElasticInstanceCount: 0
    }
    storageAccountRequired: false
    vnetContentShareEnabled: false
    vnetImagePullEnabled: false
    vnetRouteAllEnabled: false
  }
}

I know there exists a similar issue when the cloningInfo property is set, but this isn't the case here.

Am I missing something or should I raise this with Microsoft?

Answer 1

While enabling system managed identity for an app service there are certain limitations. In your case, enabling alwaysOn property might not be supported with all the app services which are being deployed in a respective app service plan.

Ascertain that the App Service Plan to which your App Service is deployed is set up to enable System Assigned Managed Identity. This feature requires the use of a Premium, Isolated, or Elastic Premium service plan.

And also check the Azure Resource Provider for Managed Identity. It may not be registered in certain cases. Use below command to check the status.

Get-AzResourceProvider -ProviderNamespace "Microsoft.ManagedIdentity"

As previously mentioned, the app service plan I've been utilizing has a conflict with the alwaysOn property. After modifying your code in below manner, I was able to successfully deploy it after disabling it.

var webAppName = 'jhwebbla'
var appServicePlanName = toLower('AppServicePlan-${webAppName}')
param location string = resourceGroup().location
resource appServicePlan 'Microsoft.Web/serverfarms@2020-06-01' = {
  name: appServicePlanName
  location: location
  properties: {
    reserved: true
  }
  sku: {
    name: 'F1'
  }
  kind: 'app'
}
resource appService 'Microsoft.Web/sites@2022-09-01' = {
  name: webAppName
  location: location
  kind: 'app,migration'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    clientAffinityEnabled: true
    clientCertEnabled: false
    clientCertMode: 'Required'
    containerSize: 0
    dailyMemoryTimeQuota: 0
    enabled: true
    hostNamesDisabled: false
    hostNameSslStates: [
      // ...
    ]
    httpsOnly: true
    hyperV: false
    isXenon: false
    keyVaultReferenceIdentity: 'SystemAssigned'
    redundancyMode: 'None'
    reserved: false
    scmSiteAlsoStopped: false
    serverFarmId: appServicePlan.id
    siteConfig: {
      numberOfWorkers: 1
      acrUseManagedIdentityCreds: false
      //alwaysOn: true
      functionAppScaleLimit: 0
      http20Enabled: false
      minimumElasticInstanceCount: 0
    }
    storageAccountRequired: false
    vnetContentShareEnabled: false
    vnetImagePullEnabled: false
    vnetRouteAllEnabled: false
  }
}

Deployment succeeded: