Microsoft implements this Identification and Authentication control
Name/Id: ACF1340 / Microsoft Managed Control 1340 Category: Identification and Authentication Title: Authenticator Management | No Embedded Unencrypted Static Authenticators Ownership: Customer, Microsoft Description: The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. Requirements: Azure explicitly prohibits the use of unencrypted static authenticators embedded in applications, access scripts, or function keys. Any script that uses an authenticator makes a call to a secrets management database prior to each use. Access to the secrets management database is audited, which allows detection of violations of this prohibition if a service account is used to access a system without a corresponding call to the secrets management database.
Azure service teams perform security testing for Azure services through the Security Development Lifecycle (SDL) process that is followed for all engineering and development projects. As part of the security testing that occurs during multiple phases of the SDL process, Azure teams ensure there are no unencrypted authenticators embedded in the applications, access scripts or function keys. CredScan is utilized on all official builds in all build pipelines, and either breaking the build process preventing production use or creating work items assigned to the Azure service team for remediation.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups