What is Managed Identity?

• A way to providing access to Azure resources securly (service principle in Azure AD) without dealing with credentials
• Managed identities eliminate the need for developers to manage credentials
• Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication
• Applications may use the managed identity to obtain Azure AD tokens
• Managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code

Benefits Of Managed Identity?

• Once enabled, all necessary permissions can be granted via Azure role-based-access-control
• Azure Active Directory managed identities simplify secrets management for your cloud application
• You don’t need to manage credentials (credentials are not even accessible to you)
• You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications
• Managed identities can be used without any additional cost

Types

• System-assigned:
  • Allows to enable a managed identity directly on a service instance
  • Tied to your application and is deleted if your app is deleted
  • An app can only have one system-assigned identity
• User-assigned:
  • Created as a managed identity as a standalone Azure resource
  • A standalone Azure resource that can be assigned to your app
  • An app can have multiple user-assigned identities

How Does It Work?

• Managed identities have associated service principles object in Azure AD
• Authentication happens using certificates (actual implementation is not exposed by Microsoft)
• After authenticating (using certificates), managed identity gets authentication token from Azure AD using it’s associated service principle

Usage Example

Managed identity can be used for apps running in app service of AKS to securly access Azure KeyVault

• Using managed identity to access KeyVault secret
• AKS Pod Managed Identity

Supported Resources

Azure CLI Command for list of resources that have a system-assigned managed identity

az resource list --query "[?identity.type=='SystemAssigned'].{Name:name,  principalId:identity.principalId}" --output table

See: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities

Links

• How can I use managed identities for Azure resources?
• Which operations can I perform using managed identities?
• Create and assign a role to a user-assigned managed identity using the Azure portal
• Azure RBAC to assign a managed identity access to another resource
• System-assigned managed identity for VM
• Managed identities for Azure resources frequently asked questions