Managed identities in Azure Active Directory (Azure AD) eliminate the need for developers having to manage credentials by providing an identity for the Azure resources that can be used to authenticate to any service that supports Azure AD authentication. In the context of the SC-300 Microsoft Identity and Access Administrator exam, understanding the creation and configuration of managed identities is critical.
Understanding Managed Identities
Azure Managed Identities are of two types: System-Assigned Managed Identity and User-Assigned Managed Identity.
- System-Assigned Managed Identity: This kind of managed identity is enabled directly on an Azure service instance. The lifecycle of a system-assigned managed identity is directly tied to the Azure service instance that it’s enabled on. When the resource is deleted, Azure automatically cleans up the credentials and the identity in the Azure AD.
- User-Assigned Managed Identity: This type of managed identity is created as a standalone Azure resource. Once the identity is created, one can assign it to one or more instances of an Azure service. The lifecycle of a user-assigned managed identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.
Here’s a basic comparison between the two:
| System-Assigned Managed Identity | User-Assigned Managed Identity |
|---|---|
| Tied to the lifecycle of the service instance it is created on | Exists independently of any service instances |
| Automatically cleaned up when the associated service instance is deleted | Needs to be manually deleted |
Creating Managed Identities
System-Assigned Managed Identity
Here is an example of how to create a system-assigned managed identity using Azure CLI:
az webapp identity assign –name WebAppName –resource-group ResourceGroupName
This command will return a JSON formatted object with a `principalId` and `tenantId`, which will be used to grant this App Service permissions in Azure AD.
User-Assigned Managed Identity
For creating a user-assigned managed identity, you can use the following Azure CLI command:
az identity create –name UserAssignedIdName –resource-group ResourceGroupName
This command will again return a JSON formatted object where `principalId` and `clientId` are the important items that will be used while assigning this identity to Azure resources.
Configuring Managed Identities
You might need to grant your managed identity access to resources in your Azure AD tenant. For the system-assigned identity, you can do this by finding the enterprise application associated with the identity and granting it the necessary permissions.
To grant a system-assigned managed identity access to a resource, using Azure CLI:
az role assignment create –role Reader –assignee <principalId> –scope <ResourceID>
For user-assigned managed identity, you need assign it to a service instance just like system-assigned managed identity. However, remember that unlike system-assigned managed identities, user-assigned managed identities are separate from the instances, and, hence, need to be deleted separately.
Azure AD managed identities are a powerful feature for ensuring a secure application environment. Understanding their creation, use, and configuration will significantly aid in improving the security posture of your application environment while also reducing the administrative overhead of managing service principals.
Practice Test
True or False: Managed identities for Azure resources is a feature of Azure Active Directory.
- True
- False
Answer: True.
Explanation: Managed identities for Azure resources is an identity management feature of Azure Active Directory that takes away all the difficulties of managing identities for applications.
Multiple select: Which two types of managed identities in Azure Active Directory can be used with an application?
- a) System-assigned
- b) User-assigned
- c) Role-assigned
- d) Resource-assigned
Answer: a) System-assigned, b) User-assigned.
Explanation: There are exactly two types of managed identities: System-assigned and User-assigned.
Single select: What does a System-Assigned Managed Identity use to create an identity for itself?
- a) A user’s login
- b) Resource’s lifecycle
- c) An application’s lifecycle
- d) An administrator’s login
Answer: b) Resource’s lifecycle.
Explanation: A System-Assigned Managed Identity is tied to the lifecycle of the resource that it’s created with.
True or False: A User-Assigned Managed Identity can be used by multiple Azure resources.
- True
- False
Answer: True.
Explanation: Unlike System-Assigned Managed Identities, User-Assigned Managed Identities can be used by multiple Azure resources.
Single select: What can be done to access Azure Key Vault with a Managed Identity?
- a) Use GET to retrieve information
- b) Create an access policy
- c) Store the key in the Identity
- d) Use PUT to store information
Answer: b) Create an access policy.
Explanation: By creating an access policy, Azure Key Vault allows a Managed Identity to perform certain operations.
True or False: A Managed Identity cannot be used to access Azure SQL Database.
- True
- False
Answer: False.
Explanation: Both system-assigned and user-assigned managed identities can be used to access Azure SQL Database.
Multiple select: Managed identities eliminate which two things?
- a) The need for developers to manage credentials.
- b) The need for secrets in code.
- c) The need for Azure resources.
- d) The need for a subscription to Azure.
Answer: a) The need for developers to manage credentials, b) The need for secrets in code.
Explanation: Managed identities provide Azure services with an automatically managed identity, eliminating the need for credentials or secrets in your code.
True or False: A Managed Identity is automatically managed by Azure Active Directory.
- True
- False
Answer: True.
Explanation: Managed identities for Azure are automatically managed by Azure Active Directory.
Single select: What is the primary goal of Azure Managed Identity?
- a) To provide security and privacy for Azure services.
- b) To eliminate credentials from code.
- c) To automatically manage Azure resources.
- d) To monitor Azure activity.
Answer: b) To eliminate credentials from code.
Explanation: The primary goal of Azure Managed Identity is to help resolve the problem of keeping credentials secure from exposure in your code.
True or False: When a system-assigned managed identity is deleted, Azure automatically deletes the identity in Azure AD.
- True
- False
Answer: True.
Explanation: System-assigned managed identities are tied to the lifecycle of a resource, and when the resource is deleted, Azure automatically cleans up the identity.
Interview Questions
1. How do you create a managed identity for an Azure resource?
To create a managed identity for an Azure resource, you can do so through the Azure portal, Azure PowerShell, Azure CLI, REST API, or ARM template.
2. What is the purpose of a managed identity in Azure?
A managed identity in Azure provides an identity for the service to use when authenticating with Azure Active Directory (Azure AD) and other Azure services.
3. Can a managed identity be assigned to multiple Azure resources?
Yes, a managed identity can be assigned to multiple Azure resources within the same Azure Active Directory (Azure AD) tenant.
4. How can you assign permissions to a managed identity in Azure?
You can assign permissions to a managed identity by granting it access to Azure resources or using Azure role-based access control (RBAC) to assign specific roles.
5. How do you retrieve a managed identity’s credentials in Azure?
In Azure, managed identities provide an authentication token that can be retrieved from Azure Instance Metadata Service (IMDS) or by using Azure SDKs and Azure libraries.
6. What is the difference between a system-assigned managed identity and a user-assigned managed identity?
A system-assigned managed identity is created and managed by Azure for a specific Azure resource, while a user-assigned managed identity is created and managed independently as a standalone Azure resource.
7. Can a managed identity be used to authenticate with non-Azure resources?
Yes, a managed identity can be used to authenticate with non-Azure resources by leveraging the Azure AD authentication token provided to the managed identity.
8. How can you verify the successful creation of a managed identity in Azure?
You can verify the successful creation of a managed identity in Azure by checking the Azure portal, using Azure PowerShell or Azure CLI commands, or querying Azure Resource Manager REST API.
9. What are the security benefits of using managed identities in Azure?
Using managed identities in Azure helps eliminate the need to store credentials in code or configuration files, reducing the risk of credential exposure and simplifying security management.
10. Can a managed identity be reused across different Azure subscriptions?
Yes, a user-assigned managed identity can be reused across different Azure subscriptions within the same Azure Active Directory (Azure AD) tenant, allowing for centralized identity management.
extutorials.com