Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) that applications can use to authenticate to services that support Azure AD authentication. This feature eliminates the need for developers to manage credentials in their code, conf…Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) that applications can use to authenticate to services that support Azure AD authentication. This feature eliminates the need for developers to manage credentials in their code, configuration files, or environment variables.
There are two types of managed identities:
1. **System-assigned managed identity**: This identity is enabled on an Azure service instance (such as a virtual machine, App Service, or Azure Function). When enabled, Azure creates an identity tied to that resource's lifecycle. When the resource is deleted, Azure automatically cleans up the identity. Only that specific Azure resource can use this identity to request tokens from Azure AD.
2. **User-assigned managed identity**: This is created as a standalone Azure resource. You can assign it to one or more Azure service instances. The identity is managed separately from the resources that use it, meaning it persists even when associated resources are deleted.
**Key Benefits:**
- **Credential management**: Azure handles the rotation and protection of credentials automatically
- **Simplified authentication**: Applications can obtain tokens for Azure services like Key Vault, Azure SQL, Storage, and others
- **Security enhancement**: Reduces the risk of credential exposure since secrets are never stored in code
- **Cost-effective**: No additional charges for using managed identities
**Common Use Cases:**
- Accessing Azure Key Vault secrets from applications
- Connecting to Azure SQL Database from App Services
- Accessing Azure Storage from virtual machines
- Authenticating to Azure Resource Manager for automation tasks
To implement managed identities, you enable the identity on the resource, grant appropriate role-based access control (RBAC) permissions to the identity, and then use Azure SDKs or REST APIs to acquire tokens. This approach follows the principle of least privilege and significantly improves the security posture of Azure deployments.
Managed Identities for Azure Resources - Complete Guide
Why Managed Identities Are Important
Managed identities eliminate the need to store credentials in code, configuration files, or key vaults when accessing Azure services. This significantly reduces the risk of credential exposure and simplifies secret management. For the AZ-500 exam, understanding managed identities is crucial as they represent a security best practice for authenticating Azure resources to other Azure services.
What Are Managed Identities?
Managed identities provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). This identity can be used to authenticate to any service that supports Azure AD authentication. There are two types:
1. System-Assigned Managed Identity: - Created as part of an Azure resource (like a VM or App Service) - Shares the lifecycle with the resource (deleted when resource is deleted) - Cannot be shared across multiple resources - One-to-one relationship with the resource
2. User-Assigned Managed Identity: - Created as a standalone Azure resource - Has an independent lifecycle from the resources it is assigned to - Can be shared across multiple Azure resources - Ideal for workloads running on multiple resources needing the same permissions
How Managed Identities Work
1. Azure creates a service principal in Azure AD for the managed identity 2. The Azure platform manages the credentials rotation automatically 3. Your code requests tokens from the Azure Instance Metadata Service (IMDS) endpoint 4. The token is used to authenticate to Azure services that support Azure AD authentication
The token endpoint is: http://169.254.169.254/metadata/identity/oauth2/token
Supported Azure Services
Resources that can use managed identities include: - Azure Virtual Machines - Azure App Service and Functions - Azure Logic Apps - Azure Kubernetes Service - Azure Data Factory - Azure API Management
Services that accept managed identity authentication include: - Azure Key Vault - Azure Storage - Azure SQL Database - Azure Event Hubs - Azure Service Bus
Exam Tips: Answering Questions on Managed Identities
Key Points to Remember:
1. Choose System-Assigned when: The identity should be tied to a single resource and deleted with it. Look for scenarios involving a single VM or App Service needing access to Azure resources.
2. Choose User-Assigned when: Multiple resources need the same permissions, or the identity needs to persist beyond the resource lifecycle. Look for scale set scenarios or pre-authorization requirements.
3. RBAC Integration: Managed identities require proper RBAC role assignments to access target resources. The identity itself grants no permissions.
4. No Credential Storage: When a question asks about eliminating stored credentials or secrets for service-to-service authentication, managed identities are typically the answer.
5. Token Acquisition: Remember that tokens are obtained from the IMDS endpoint at 169.254.169.254. Questions may reference this local endpoint.
6. Lifecycle Considerations: If a question mentions needing an identity that survives resource deletion, user-assigned is correct.
Common Exam Scenarios:
- A VM needs to access Key Vault secrets: Enable system-assigned managed identity and grant Key Vault access policy - Multiple VMs in a scale set need identical permissions: Use user-assigned managed identity - An App Service needs to query Azure SQL: Enable managed identity and configure Azure AD authentication on SQL - Eliminate connection strings with passwords: Replace with managed identity authentication
Watch Out For:
- Questions that mix up system-assigned and user-assigned characteristics - Scenarios where managed identities are presented alongside service principals - managed identities are generally preferred for Azure-to-Azure scenarios - Remember that managed identities only work for Azure resources and Azure AD-integrated services