Azure Container Apps Service to use Managed built-in policy definition

To apply the built-in Azure Policy "Managed Identity should be enabled for Container Apps", follow these steps to ensure that all Container Apps in your specified scope have Managed Identity enabled

In search type Policy, under that look for definitions on the left side column, under Definitions, search for "Managed Identity should be enabled for Container Apps"

You can also use CLI

az policy definition list --query "[?contains(displayName, 'Managed Identity should be enabled for Container Apps')]" -o table

Assign the policy to your target scope for example your resource group under which you will deploy your ACA

az policy assignment create  --name $POLICY_NAME  --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"  --policy $POLICY_ID

Done. You can validate the same by deploying a test container App

Let’s say this one is non-compliant, another is compliant. The policy should tell you now if it’s non-compliant

az containerapp create 
  --name test-noncompliant-app 
  --resource-group <your-resource-group-name> 
  --environment <your-container-app-environment-name> 
  --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest

Now check. trigger a fresh scan

az policy state trigger-scan --resource-group $RESOURCE_GROUP

Let it run. Once you get the prompt back now check-

az policy state list 
  --filter "policyAssignmentName eq '$POLICY_NAME'" 
  --query "[?complianceState=='NonCompliant'].{Resource: resourceId, Compliance: complianceState}" 
  -o table

You can check the same from portal as well

You can even prevent non-compliant resources from being created, enable enforcement mode. Checkout – Tutorial: Create and manage policies to enforce compliance and MS Doc