Blog Post

Apps on Azure Blog
5 MIN READ

Managed Identity support for WordPress on App Service

abhishekreddy's avatar
abhishekreddy
Icon for Microsoft rankMicrosoft
Sep 10, 2024

We’re thrilled to share with you that WordPress on App Service now supports Managed Identity. This means your WordPress site can securely access other Azure resources, like Azure Database for MySQL Flexible Server and Azure Communication Service Email, without the hassle of managing connection strings and secrets.

 

What is a managed Identity and why should you implement it for WordPress on App Service?

A frequent issue developers face is handling secrets, credentials, certificates, and keys needed for secure communication between services. Managed identities remove the necessity for developers to oversee these credentials.

Even though developers can securely store secrets in Azure Key Vault, services still require a method to access it. Managed identities offer an automatically managed identity in Microsoft Entra ID that applications can use to connect to resources supporting Microsoft Entra authentication. Using managed identities, applications can acquire Microsoft Entra tokens without needing to manage any credentials.

 

Managed identities are an excellent way to enhance the security of your WordPress application. They eliminate the need to manage credentials, as they integrate seamlessly with various Azure services, providing secure access without explicit credentials. Best of all, you can use managed identities at no additional cost.

 

There are two types of managed identities: System-assigned and User-assigned. To learn more about managed identities and its types visit https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview

 

How does WordPress on App Service use a managed Identity?

WordPress on App Service now uses a user-assigned managed identity configured with App Service. This managed identity allows access to other Azure resources, such as the Azure Database for MySQL flexible server or Azure Communication Services Email, without needing to store credentials in Application settings as we did before. https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/wordpress_application_settings.md

 

This approach also eliminates the need for connection strings and storing secrets in Key Vault. Moving forward, this will be the default behavior for WordPress on App Service. We recommend adopting this approach. For new websites created on or after September 9, 2024, managed identities will be configured by default if the Managed Identity checkbox in the Add-ins tab is checked during the creation process. https://portal.azure.com/#create/WordPress.WordPress

 

How to configure managed identity for WordPress on App Service?

For new website deployments (on or after 9 September 2024), managed identity is configured by default. In the creation experience, navigate to the Add-ons tab, where you will see that managed identity is enabled by default. We highly recommend following this approach. However, you can disable this feature if you need to manually set up managed identities or if your policies require a different approach.

 

 

For older websites, we need to follow the steps below to configure Managed Identity for WordPress on App Service.

 

Step 1. Create a user assigned managed identity resource.

Follow the steps here: https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity to create a new user assigned managed identity.

 

Or you can directly go to the create flow here: https://portal.azure.com/#create/Microsoft.ManagedIdentity

We recommend that you select the same Resource group and Region for your managed identity as with other resources of WordPress on App Service. This will make it easier for you to manage these resources together.

 

Step 2. Configure managed identity for App Service

Follow the steps here: https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-user-assigned-identity

 

Step 3. Enable managed identity authentication for Azure Database for MySQL flexible server

This step has two parts:

Part 1: Enable MySQL database authentication using managed identity

  1. Go to Azure database for MySQL resource. Go to Security > Authentication.

     

  2. Select ‘Microsoft Entra authentical only’ option in the authentication section. The allows authentication only using Microsoft Entra account and disables MySQL native password-based authentication. We highly recommend this approach. Although you could select ‘MySQL and Microsoft Entra authentication’ to enable authentication using both methods.’
  3. In the Select Identity section, select the user assigned managed identity you had crated in Step1.

     

  4. In the ‘Microsoft Entra Admins’ section click on ‘Select’. In the search option search for the Managed Identity name, and you will find an Admin with the same name of type ‘Enterprise application’. Select that option and click on ‘Select’.

     

  5. Now Azure database for MySQL has been configured to authenticate with the managed Identity. For more details, visit: https://learn.microsoft.com/azure/mysql/flexible-server/how-to-azure-ad#configure-the-microsoft-entra-admin

 

Part 2: Update application settings: Go to App Service Resource > Settings > Environment variables.

 

  1. Add these settings:

ENTRA_CLIENT_ID

<Client ID of managed identity>

ENABLE_MYSQL_MANAGED_IDENTITY

true

You can find the client ID of the managed Identity in the overview section of the managed identity resource.

 

  1. Edit these settings:

DATABASE_USERNAME

<Microsoft Entra Admin>

This is the Microsoft Entra Admin we added in Part 1 earlier. This is usually same as the name of the managed identity.

 

 

Step 4. Enable managed identity authentication for Azure Communication Services Email

Part 1: Enable managed identity to access ACS Email resource

 

  1. Go to Communication service resource > Access Control (IAM)

     

  2. Click on ‘+Add’ and ‘Add role assignment’

     

  3. Select Privileged administrator roles > Contributor

 

  1. Assign access to ‘Managed identity’. Click on ‘+ Select members’. Select the managed identity created in Step 1. Click on ‘Select’.

     

  2. Click on ‘Review + assign’

     

Part 2: Add Environment variables

  1. Go to App Service resource > Settings > Environment variables.
  2. Add this application setting:

ENABLE_EMAIL_MANAGED_IDENTITY

true

 

 

Note that ENTRA_CLIENT_ID is a crucial environment variable for setting up ACS Email with managed identity. The details are omitted here as they are already covered in the MySQL configuration section. If you are configuring managed identity solely for ACS Email or have skipped the MySQL configuration, ensure you do not overlook this step.

 

Step 5. Make code level changes.

Next you need to make code level changes to make sure that WordPress is able to access the database and email server. This includes making changes to wp-config.php and the email plugin.

 

We have created a script to help you make this code changes faster. Go to Kudu SSH and run this script:

 

 

 

/usr/local/bin/managed-identity-setup.sh

 

 

 

 

Now you have successfully enabled WordPress on App Service to use managed identity.

 

Note: You can log in to phpMyAdmin by using the value from DATABASE_USERNAME environment variable as the username and the token as the password. To find the token use your Kudu SSH to run the following command:

 

 

 

/usr/local/bin/fetch-mysql-access-token.sh

 

 

 

 

Support and Feedback

Did you like this article? Please click on like if you do. Also, leave your comments, and help us to make this article better.

 

If you need any assistance, feel free to open a support request through the Microsoft Azure portal.

 

You can also report an issue on our GitHub repository Issues

 

For more details about our offering, check out the announcement on the General Availability of WordPress on Azure App Service.

 

Also, you can find here all articles related to WordPress on App Service.

 

You can share your thoughts and suggestions on our community page.

 

Would love to know about your experience & issues you are facing, and you can start a conversation with us by emailing to wordpressonazure@microsoft.com

Updated Sep 12, 2024
Version 4.0
  • folio1's avatar
    folio1
    Copper Contributor

    abhishekreddy 

    Thanks for the overview...

    So, the only option is to provide the developer with the token to log into PhpMyAdmin?

    Note: You can log in to phpMyAdmin by using the value from DATABASE_USERNAME environment variable as the username and the token as the password. To find the token use your Kudu SSH to run the following command:

  • folio11, yes, that is the only way to access phpMyAdmin. I you wish to change the settings; you can go to your MySQL resource > Authentication and select 'MySQL and Microsoft Entra authentication'.

  • admin2475's avatar
    admin2475
    Copper Contributor

    Did you have to manually assign any permissions to the newly created managed identity? I was reading in the link provided you needed user.read.all, group.read.all, and application.read.all permissions or directory reader role assigned. I do not see a step where you do that but you go straight to using the identity. For me going by the instructions provided it does not seem to work.