Search services uses a managed identity

March 21, 2025 ยท View on GitHub

SYNOPSIS

Configure managed identities to access Azure resources.

DESCRIPTION

AI Search (Previously known as Cognitive Search) may require connection to other Azure resources. Connections to Azure resources are required to use some features including indexing and customer managed-keys. AI Search can use managed identities to authenticate to Azure resources without storing credentials.

Using Azure managed identities have the following benefits:

  • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
  • You can use managed identities to authenticate to any Azure service that supports Entra ID authentication.
  • Managed identities can be used without any additional cost.

RECOMMENDATION

Consider configuring a managed identity for each AI Search service. Also consider using managed identities to authenticate to related Azure services.

EXAMPLES

Configure with Azure template

To deploy AI Search services that pass this rule:

  • Set the identity.type property to SystemAssigned.

For example:

{
  "type": "Microsoft.Search/searchServices",
  "apiVersion": "2022-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "standard"
  },
  "properties": {
    "replicaCount": 3,
    "partitionCount": 1,
    "hostingMode": "default"
  }
}

Configure with Bicep

To deploy AI Search Search services that pass this rule:

  • Set the identity.type property to SystemAssigned.

For example:

resource search 'Microsoft.Search/searchServices@2022-09-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'standard'
  }
  properties: {
    replicaCount: 3
    partitionCount: 1
    hostingMode: 'default'
  }
}