Managed identities for Azure resources is an Azure AD feature that provides Azure services with an automatically managed identity in Azure AD. You use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code.
Why use Managed Identities?
Security is the primary reason to use Azure managed identities. It eliminates the need to manage secrets, instead handing the process off to Azure AD. Consequently, the lifetime of credentials is automatically managed by Azure AD, meaning app developers never need to intervene, making it a hassle-free alternative to handling Service Principal secrets.
Two Types of Managed Identities
- System-assigned: The identity is tied to the lifecycle of the resource and is automatically deleted when the resource is removed.
- User-assigned: The identity is managed separately to its resources, and can be assigned to one or more Azure service instances.
Managed Identities Application
There are numerous ways to apply managed identities to access Azure resources. Here is an example of how you could use a managed identity with an Azure Function to access an Azure SQL Database:
- Create a managed identity for an Azure Function
Via Azure Portal, you may enable a system-assigned managed identity during or after the creation of your Azure Function. - Assign permissions to the managed identity
Assign permissions to your Azure Function to enable access to the Azure SQL Database. - Update your application to use the managed identity
Modify your application to acquire a token from Azure AD for the Azure SQL Database, which the managed identity makes possible.
Using Managed Identities with Azure Key Vault
Azure Key Vault is a powerful resource for storing and accessing secrets, keys and certificates, but managing access policies and service principal credentials can be complex. Managed identities simplifies this:
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://myvault.vault.azure.net/secrets/mysecret")
.ConfigureAwait(false);
Console.WriteLine($"Secret: {secret.Value}");
In this example, creating a new AzureServiceTokenProvider object attempts to get a token for accessing the Key Vault service.
In conclusion, Azure managed identities are an efficient, secure way to access Azure resources, leaning on Azure AD’s robust power and improving the security posture of your applications. As part of studying for the SC-300 Microsoft Identity and Access Administrator, you should be confident in understanding and utilizing these identities.
Practice Test
Managed Identities for Azure resources is a feature of Azure Active Directory. Is it true or false?
- True
- False
Answer: True
Explanation: Managed Identities for Azure resources is a feature of Azure Active Directory, enabling resources to have an identity in the directory without needing any credentials in code.
What resources can a Managed Identity be used to securely access? (Choose two)
- Azure SQL Database
- Azure Key Vault
- Users’ personal email accounts
- Social media accounts
Answer: Azure SQL Database, Azure Key Vault
Explanation: Managed identities in Azure can be used to access services like Azure SQL Database and Azure Key Vault securely, but not personal email or social media accounts.
A system-assigned managed identity is enabled directly on an Azure service instance.
- True
- False
Answer: True
Explanation: When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance.
User-assigned managed identities can be shared across multiple services.
- True
- False
Answer: True
Explanation: You may want to use a user-assigned managed identity when you have multiple services that need to use the same identity.
Managed Identities can be used to access resources in a different Azure subscription. Is it true or false?
- True
- False
Answer: False
Explanation: A Managed Identity can only be used to access resources that reside in the same Azure subscription and Azure AD directory.
A user-assigned managed identity is managed separately from the lifecycle of the Azure resource.
- True
- False
Answer: True
Explanation: This implies that even if the resource it was assigned to is deleted, the identity still exists.
Which Azure service supports managed identities?
- Azure Kubernetes Service
- Azure Monitor
- Azure Virtual Machines
- All of the above
Answer: All of the above
Explanation: All listed Azure services support managed identities.
Managed identities are free and don’t add any cost to your Azure subscription.
- True
- False
Answer: True
Explanation: There is no additional charge for using managed identities.
It is necessary to store user credentials within the apps to allow applications to access online resources in Azure.
- True
- False
Answer: False
Explanation: Managed Identities eliminate the need for developers having to store credentials in their apps.
Managed identities can be used with Azure Functions. Is it true or false?
- True
- False
Answer: True
Explanation: Azure Functions, like many other Azure resources, support managed identities.
What type of managed identity gets deleted when you delete the Azure resource?
- System-assigned managed identity
- User-assigned managed identity
Answer: System-assigned managed identity
Explanation: System-assigned managed identities are tied to the lifecycle of the Azure resource and are deleted when the resource is deleted.
User-assigned managed identities can be created under which type of Azure resource group?
- Empty resource group
- Any type of resource group
Answer: Any type of resource group
Explanation: User-assigned managed identities can be created under any type of resource group in Azure.
The lifecycle of a user-assigned managed identity is managed independently.
- True
- False
Answer: True
Explanation: It’s true as the lifecycle of user-assigned managed identities is not tied to a specific Azure instance and are managed separately.
An Azure resource, such as a VM, can have how many system-assigned managed identity?
- One
- Two
- Multiple
Answer: One
Explanation: Each Azure resource can only have one system-assigned managed identity.
Managed identities can only be used with services that support Azure Active Directory (Azure AD) authentication.
- True
- False
Answer: True
Explanation: Managed identities provide Azure services with an automatically managed identity in Azure AD. It can be used to authenticate to any service that supports Azure AD authentication.
Interview Questions
What is a managed identity in Azure?
A managed identity in Azure is a feature of Azure Active Directory that allows Azure services to authenticate other cloud services, eliminating the need for credentials in your code.
What are the two types of managed identities in Azure?
The two types of managed identities in Azure are: System Assigned Managed Identities and User Assigned Managed Identities.
What is a System Assigned Managed Identity?
A System Assigned Managed Identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD that’s trusted by the subscription of the instance.
What happens when the Azure resource with a System Assigned managed identity is deleted?
When the Azure resource with a System Assigned managed identity is deleted, Azure automatically deletes the identity from Azure AD.
What is a user-assigned managed identity?
A user-assigned managed identity is created as an independent Azure resource. Once the identity is created, it can be assigned to one or more Azure service instances.
How does a managed identity work with Azure Machine Learning?
Managed identities can be used in Azure Machine Learning to authenticate the workspace on other Azure resources such as Azure Key Vault, Azure Container Registry, Azure Storage, and others.
Can managed identities be used to access databases in Azure?
Yes, Managed identities in Azure can be used to access databases such as Azure SQL Database, Azure SQL Managed Instance, and Azure Cosmos DB.
Can more than one user-assigned managed identity be used on an Azure instance?
Yes, an Azure resource instance can have multiple user-assigned managed identities.
What is the benefit of using managed identities to access Azure resources instead of using conventional keys or credentials?
Managed identities eliminate the need for developers to manage credentials. They’re automatically managed by Azure, hence reducing the potential security risk.
How are Managed Identities associated with Azure Logic Apps?
Azure Logic Apps supports Managed Identities. This means that logic apps can run actions that call other resources in the Azure ecosystem using a Managed Service Identity.
How do you get an access token for a managed identity?
You get an access token for a managed identity by making a local Http GET request to the Azure Instance Metadata service.
Can managed identities be used across different Azure subscriptions?
This is currently not possible. Managed identities are resources belonging to an Azure subscription and therefore, scope is restricted to that subscription.
Can system-assigned managed identities be moved across different Azure subscriptions?
No, System-assigned managed identities cannot be moved. They are tied to the lifespan of the resource they’re assigned to.
Are managed identities supported in all Azure regions?
Yes, Managed identities are supported in all public Azure regions.
How are managed identities used to access Azure Key Vault?
Managed identities can be granted permissions to access keys, secrets, or certificates stored in Azure Key Vault. It simplifies secret management as there’s no need for the application code to handle credentials.
extutorials.com