We are in the process of migrating an ASP.NET application to Azure. The app is running in IIS, in a dedicated application pool.

We've learned that the best way to implement access authorisation to external resources (e.g. database, secrets in KeyVault, etc.) is to use passwordless 'managed identities', so we've followed this approach.

As the application is .NET Framework based (really old, legacy stuff), the only way it can leverage the managed identity is to have it assigned to entire VM. We can't assign this MI to the application pool only. So, in this scenario it appears that any code, not just our app, running on the machine, could potentially get the access to where our application is authorised to enter.

This raises some concerns...

Generally, is assigning MI to whole VMs considered by the community a secure practice ?

If not, does anyone know how to assign MI just to a specific application pool (not the whole VM)?

Note: the VM is expected to run our application code only, yet not guaranteed. This post is all about reducing surface attack.