feat: update managed identity configurations and enhance web security (#2189)

Akhileswara-Microsoft · Roopan-Microsoft · web-flow · commit d4c58c821b6f · 2026-05-04T12:37:29.000+05:30
Co-authored-by: Roopan-Microsoft &lt;168007406+Roopan-Microsoft@users.noreply.github.com&gt;
diff --git a/extensions/teams/infra/azure.bicep b/extensions/teams/infra/azure.bicep
@@ -44,6 +44,9 @@ resource webApp 'Microsoft.Web/sites@2024-04-01' = {
   kind: 'app'
   location: location
   name: webAppName
+  identity: {
+    type: 'SystemAssigned'
+  }
   properties: {
     serverFarmId: serverfarm.id
     httpsOnly: true
diff --git a/infra/modules/app/eventgrid.bicep b/infra/modules/app/eventgrid.bicep
@@ -53,11 +53,17 @@ module avmEventGridSystemTopic 'br/public:avm/res/event-grid/system-topic:0.6.4'
     eventSubscriptions: [
       {
         name: name
-        destination: {
-          endpointType: 'StorageQueue'
-          properties: {
-            queueName: queueName
-            resourceId: storageAccountId
+        deliveryWithResourceIdentity: {
+          identity: {
+            type: 'UserAssigned'
+            userAssignedIdentity: userAssignedResourceId
+          }
+          destination: {
+            endpointType: 'StorageQueue'
+            properties: {
+              queueName: queueName
+              resourceId: storageAccountId
+            }
           }
         }
         eventDeliverySchema: 'EventGridSchema'
diff --git a/infra/modules/core/host/appservice.bicep b/infra/modules/core/host/appservice.bicep
@@ -37,8 +37,10 @@ param clientAffinityEnabled bool = true
 param appServiceEnvironmentResourceId string?
 
 import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.7.0'
-@description('Optional. The managed identity definition for this resource.')
-param managedIdentities managedIdentityAllType?
+@description('Optional. The managed identity definition for this resource. Defaults to system-assigned managed identity.')
+param managedIdentities managedIdentityAllType = {
+  systemAssigned: true
+}
 
 @description('Optional. The resource ID of the assigned identity to be used to access a key vault with.')
 param keyVaultAccessIdentityResourceId string?
diff --git a/infra/modules/core/host/web-sites.config.bicep b/infra/modules/core/host/web-sites.config.bicep
@@ -58,7 +58,16 @@ var appInsightsValues = !empty(applicationInsightResourceId)
     }
   : {}
 
-var expandedProperties = union(currentAppSettings, properties, azureWebJobsValues, appInsightsValues)
+// Ensure FTPS enforcement and other security settings for 'web' config
+var webConfigSecurityDefaults = name == 'web'
+  ? {
+      ftpsState: 'FtpsOnly'
+      minTlsVersion: '1.3'
+      httpsOnly: true
+    }
+  : {}
+
+var expandedProperties = union(currentAppSettings, properties, azureWebJobsValues, appInsightsValues, webConfigSecurityDefaults)
 
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightResourceId)) {
   name: last(split(applicationInsightResourceId!, '/'))
