Managing Managed Identities
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Managing Managed Identities: A Comprehensive Guide to Secure Access
Introduction: The Identity Problem in Cloud Computing
In the early days of cloud infrastructure, developers often faced a significant security dilemma: how do you allow an application running on a server to access another cloud service, such as a database or storage account, without hardcoding sensitive credentials? The traditional approach involved storing connection strings, API keys, or service principal secrets in configuration files, environment variables, or even directly in the source code. This practice, while functional, created a massive security liability. If a developer accidentally committed a configuration file to a version control system like GitHub, the secrets were exposed to anyone with access to the repository. Even if kept internal, rotating these secrets required manual intervention, application restarts, and complex coordination across teams.
Managed Identities solve this problem by providing an automatically managed identity in Microsoft Entra ID (formerly Azure Active Directory) for applications to use when connecting to resources that support Entra authentication. Instead of a developer managing a secret, the cloud platform itself manages the identity. The application simply requests an access token from a local endpoint, and the infrastructure handles the authentication process behind the scenes. This eliminates the need for developers to handle credentials entirely, significantly reducing the attack surface of cloud-native applications. Understanding how to implement and manage these identities is a fundamental skill for any cloud engineer or developer working within the Microsoft ecosystem.
Understanding the Core Concepts
At its most basic level, a Managed Identity is an Entra ID service principal of a special type. Unlike a standard service principal that you might create manually for an application, a Managed Identity is tied to the lifecycle of the Azure resource that uses it. When you delete the virtual machine or the App Service instance that holds the identity, the Managed Identity is automatically removed, preventing "orphaned" credentials from lingering in your directory.
There are two primary types of Managed Identities, and choosing the right one depends on your specific architectural requirements:
- System-Assigned Managed Identity: This identity is enabled directly on a single Azure resource. It has a one-to-one relationship with that resource. If the resource is deleted, the identity is deleted. This is the most common and recommended approach for simple, self-contained services.
- User-Assigned Managed Identity: This identity is created as a standalone Azure resource. It can be assigned to one or more Azure resources, such as multiple virtual machines or a mix of App Services and Functions. This is ideal for scenarios where you have a set of services that all need the same set of permissions, or when you need to retain the identity even if the consuming resource is recreated.
Callout: System-Assigned vs. User-Assigned Choosing between these two types comes down to lifecycle management. Use System-Assigned identities when the identity's existence is strictly tied to a single resource. Use User-Assigned identities when you need to share a common identity across multiple resources or when you want to provision the identity independently of the application code or infrastructure deployment.
How Managed Identities Work Under the Hood
When an application running on an Azure resource needs to access a protected service, it does not need to know the password or secret associated with its identity. Instead, it interacts with a local metadata service provided by the Azure platform. This service is accessible via a REST endpoint that is only reachable from within the Azure resource.
The process follows a specific handshake:
- The application sends a request to the local Managed Identity endpoint (typically
http://169.254.169.254). - The Azure platform recognizes the request originates from a trusted resource and validates the identity associated with that resource.
- The platform communicates with Entra ID to request an access token on behalf of the application.
- Entra ID issues an OAuth 2.0 access token, which is returned to the application.
- The application uses this token in the
Authorizationheader of its request to the target service (e.g., Azure Key Vault, Azure SQL, or Azure Blob Storage).
This mechanism ensures that the application never actually "sees" a credential. Even if an attacker gains access to the application's runtime environment, they cannot extract a static secret because no such secret exists in the application's memory or file system.
Implementing System-Assigned Managed Identities
Implementing a system-assigned identity is a straightforward process that can be completed through the Azure Portal, the Azure CLI, or infrastructure-as-code templates like Bicep or Terraform.
Step-by-Step: Enabling via Azure Portal
- Navigate to your target Azure resource (e.g., a Virtual Machine).
- In the left-hand navigation menu, look for the "Identity" section under the "Settings" category.
- Under the "System assigned" tab, toggle the "Status" switch to "On."
- Click "Save." Azure will then register the resource with Entra ID and create the service principal.
Step-by-Step: Enabling via Azure CLI
You can achieve the same result with a single command:
# Assign a system-assigned identity to a virtual machine
az vm identity assign --name MyVmName --resource-group MyResourceGroup
Once the identity is enabled, the resource will have an "Object ID." You use this ID to assign permissions to the resource, typically via Role-Based Access Control (RBAC).
Working with User-Assigned Managed Identities
User-assigned identities are slightly more involved because they exist as independent resources. You must create the identity first, then assign it to your compute resources.
Creating a User-Assigned Identity
Using the Azure CLI, you create the identity resource:
# Create the identity
az identity create --name MyManagedIdentity --resource-group MyResourceGroup
After creation, you will receive a response containing the principalId and the clientId. The principalId is used for granting permissions, while the clientId is often used in code to identify which identity to use if a resource has multiple user-assigned identities attached.
Assigning to a Resource
Once created, you attach the identity to your resource:
# Attach the identity to a virtual machine
az vm identity assign --name MyVmName \
--resource-group MyResourceGroup \
--identities "/subscriptions/sub-id/resourcegroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyManagedIdentity"
Granting Permissions: The Role of RBAC
Simply creating a Managed Identity does not grant it access to anything. By default, a new identity has no permissions. You must explicitly grant it access to the resources it needs to interact with using Azure RBAC.
For example, if you want your Managed Identity to read blobs from an Azure Storage account, you must assign the "Storage Blob Data Reader" role to that identity within the scope of the storage account.
Note: Always follow the principle of least privilege. Do not assign the "Owner" or "Contributor" role to a Managed Identity if the application only needs to read data. Assign the most restrictive role that allows the application to perform its required functions.
Example: Assigning a Role via CLI
# Assign Storage Blob Data Reader to the managed identity
az role assignment create --assignee <Principal-ID-of-Identity> \
--role "Storage Blob Data Reader" \
--scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account-name>
Using Managed Identities in Application Code
The most common way to interact with Managed Identities is through the Azure Identity client libraries, which are available for most major programming languages (C#, Python, Java, JavaScript, Go). These libraries are designed to be "identity-aware" and will automatically try to authenticate using a Managed Identity if available.
Example: Python (Accessing Key Vault)
The DefaultAzureCredential class is a powerful tool. It attempts to authenticate in a specific order: Environment variables, Managed Identity, and finally local developer credentials (like Azure CLI login). This makes it perfect for code that runs in both development and production.
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
# The library automatically detects the Managed Identity in production
credential = DefaultAzureCredential()
vault_url = "https://my-vault.vault.azure.net/"
client = SecretClient(vault_url=vault_url, credential=credential)
# Retrieve a secret
secret = client.get_secret("my-database-connection-string")
print(secret.value)
Example: C# (Accessing Blob Storage)
Similarly, in .NET, the DefaultAzureCredential handles the heavy lifting:
using Azure.Identity;
using Azure.Storage.Blobs;
var credential = new DefaultAzureCredential();
var blobServiceClient = new BlobServiceClient(new Uri("https://myaccount.blob.core.windows.net"), credential);
// Now you can interact with the storage service
var containerClient = blobServiceClient.GetBlobContainerClient("my-container");
Best Practices for Managed Identity Management
Managing identities at scale requires a structured approach. Without proper governance, you can easily end up with a cluttered directory of unused identities.
1. Standardize Naming Conventions
Use a clear naming convention for User-Assigned identities. For example, include the application name, environment, and purpose (e.g., id-appname-prod-web-001). This makes it significantly easier to identify which resources an identity belongs to when performing audits.
2. Audit Regularly
Periodically review your user-assigned identities to see if they are still in use. If you see an identity that is not assigned to any resource, delete it. Use the Azure Resource Graph to query for orphaned identities across your subscriptions.
3. Avoid Shared Identities Across Unrelated Applications
While it is tempting to create a "GeneralAppIdentity" and use it for every service in your cluster, this is a security risk. If one application is compromised, the attacker gains the permissions of every other application using that same identity. Use separate identities for separate services whenever possible.
4. Monitor via Entra ID Logs
Enable logging for your Entra ID service principals. You can see when an identity was used, which resources it accessed, and if any attempts were denied. This is crucial for troubleshooting permission issues and detecting potential misuse.
5. Use Infrastructure as Code (IaC)
Always provision Managed Identities using Bicep, Terraform, or ARM templates. This ensures that the identity and its associated RBAC assignments are created together, reducing the risk of human error where an identity is created but permissions are forgotten.
Callout: The "DefaultAzureCredential" Magic The
DefaultAzureCredentialprovider is your best friend in cloud development. It abstracts away the complexity of switching between local development and cloud production. In development, it uses your local CLI credentials; in production, it seamlessly switches to the Managed Identity. This means you never have to change your code when moving from your laptop to the cloud.
Common Pitfalls and Troubleshooting
Even with a well-designed system, issues will arise. Being prepared to debug these scenarios is essential.
Pitfall: "403 Forbidden" Errors
This is the most common error. It almost always means the Managed Identity is correctly configured, but it lacks the necessary RBAC permissions on the target resource.
- How to fix: Double-check the RBAC assignment. Ensure the assignment is at the correct scope (e.g., at the container level for Storage, not just the account level). Remember that RBAC changes can take a few minutes to propagate across the Azure control plane.
Pitfall: Identity Not Found
If your application code cannot find the identity, it might be due to the environment not being fully initialized.
- How to fix: Ensure the resource (VM, App Service) has finished its startup sequence. If you are using a custom container, ensure the container has access to the internal metadata endpoint. Check if any network security groups (NSGs) are blocking traffic to
169.254.169.254.
Pitfall: The "Missing" Identity
Sometimes users delete an identity, but the resource assignment remains, leading to "ghost" configurations.
- How to fix: Always use IaC to manage the relationship. If you must use the portal, perform a "cleanup" task every quarter to verify that all assigned identities exist and are in use.
Comparison: Managed Identities vs. Other Authentication Methods
| Feature | Managed Identity | Service Principal (Secrets) | Shared Access Keys |
|---|---|---|---|
| Secret Management | Automated (None) | Manual | Manual |
| Credential Rotation | Automatic | Required | Required |
| Exposure Risk | Low (Internal only) | High (Stored in config) | Very High (Hardcoded) |
| Ease of Use | High | Low | Medium |
| Best For | Azure-to-Azure services | Legacy or non-Azure apps | Public/Third-party access |
Quick Reference: When to use which Identity?
- System-Assigned Identity: Use this for 90% of your scenarios. It is the easiest to manage, has zero maintenance overhead, and is automatically cleaned up when the resource is deleted.
- User-Assigned Identity: Use this when you have a cluster of microservices that all need access to the same Key Vault, or when you are using Azure Kubernetes Service (AKS) where you want to assign identities to specific pods (via Workload Identity).
Frequently Asked Questions (FAQ)
Q: Can I use Managed Identities for on-premises servers? A: No. Managed Identities are an Azure-native feature. For on-premises servers, you should use Entra ID application registration with federated identity credentials or managed secrets stored in Azure Key Vault.
Q: How many Managed Identities can I assign to a single resource? A: You can have one system-assigned identity and multiple user-assigned identities on a single resource.
Q: Are there any costs associated with Managed Identities? A: No, Managed Identities are provided at no additional cost as part of your Entra ID usage within Azure.
Q: Can a Managed Identity access resources in a different subscription? A: Yes, provided both subscriptions are linked to the same Entra ID tenant. You simply assign the RBAC role to the identity within the scope of the target subscription.
Conclusion and Key Takeaways
Managing identities in a secure, scalable way is a cornerstone of modern cloud architecture. By shifting from static secrets to dynamic, platform-managed identities, you significantly reduce the risk of credential leakage and operational overhead.
Key Takeaways for Your Organization:
- Stop Using Secrets: Prioritize the removal of hardcoded connection strings and service account keys in favor of Managed Identities.
- Adopt Identity-Aware SDKs: Always use the latest Azure Identity libraries (
DefaultAzureCredential) to ensure your code handles authentication automatically. - Enforce Least Privilege: Every Managed Identity should only have the minimum permissions required for its specific task. Regularly audit these assignments.
- Automate Everything: Use Infrastructure as Code (Bicep, Terraform) to define your identities and their RBAC assignments to prevent configuration drift.
- Lifecycle Management: Prefer System-Assigned identities for single-resource tasks to ensure that identity removal is handled automatically when the resource is decommissioned.
- Monitor Access: Treat identity usage as a security log. Use Azure Monitor and Entra ID logs to track which identities are accessing what data, ensuring you can detect anomalies quickly.
By internalizing these practices, you move from a reactive security posture—where you are constantly chasing leaked keys—to a proactive one, where access is controlled, audited, and ephemeral by design. Managed identities are not just a convenience; they are a critical component of a secure, cloud-native development lifecycle.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons