Configure managed identities for Azure resources on virtual machine scale sets using PowerShell
Managed identities for Azure resources is a feature of Microsoft Entra ID. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.
Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.
In this article, using PowerShell, you learn how to perform the managed identities for Azure resources operations on a virtual machine scale set:
- Enable and disable the system-assigned managed identity on a virtual machine scale set
- Add and remove a user-assigned managed identity on a virtual machine scale set
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
Prerequisites
If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user managed assigned identity.
If you don't already have an Azure account, sign up for a free account before continuing.
To perform the management operations in this article, your account needs the following Azure role-based access control assignments:
Note
No additional Microsoft Entra directory role assignments required.
- Virtual Machine Contributor to create a virtual machine scale set and enable and remove system-assigned managed and/or user-assigned managed identity from a virtual machine scale set.
- Managed Identity Contributor role to create a user-assigned managed identity.
- Managed Identity Operator role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
To run the example scripts, you have two options:
- Use the Azure Cloud Shell, which you can open using the Try It button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of Azure PowerShell, then sign in to Azure using
Connect-AzAccount.
System-assigned managed identity
In this section, you learn how to enable and remove a system-assigned managed identity using Azure PowerShell.
Enable system-assigned managed identity during the creation of an Azure virtual machine scale set
To create a virtual machine scale set with the system-assigned managed identity enabled:
Refer to Example 1 in the New-AzVmssConfig cmdlet reference article to create a virtual machine scale set with a system-assigned managed identity. Add the parameter
-IdentityType SystemAssignedto theNew-AzVmssConfigcmdlet:$VMSS = New-AzVmssConfig -Location $Loc -SkuCapacity 2 -SkuName "Standard_A0" -UpgradePolicyMode "Automatic" -NetworkInterfaceConfiguration $NetCfg -IdentityType SystemAssigned`
Enable system-assigned managed identity on an existing Azure virtual machine scale set
If you need to enable a system-assigned managed identity on an existing Azure virtual machine scale set:
Make sure the Azure account you're using belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".
Retrieve the virtual machine scale set properties using the
Get-AzVmsscmdlet. Then to enable a system-assigned managed identity, use the-IdentityTypeswitch on the Update-AzVmss cmdlet:Update-AzVmss -ResourceGroupName myResourceGroup -Name -myVmss -IdentityType "SystemAssigned"
Disable the system-assigned managed identity from an Azure virtual machine scale set
If you have a virtual machine scale set that no longer needs the system-assigned managed identity but still needs user-assigned managed identities, use the following cmdlet:
Make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".
Run the following cmdlet:
Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "UserAssigned"If you have a virtual machine scale set that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following command:
Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None
User-assigned managed identity
In this section, you learn how to add and remove a user-assigned managed identity from a virtual machine scale set using Azure PowerShell.
Assign a user-assigned managed identity during creation of an Azure virtual machine scale set
Creating a new virtual machine scale set with a user-assigned managed identity isn't currently supported via PowerShell. See the next section on how to add a user-assigned managed identity to an existing virtual machine scale set. Check back for updates.
Assign a user-assigned managed identity to an existing Azure virtual machine scale set
To assign a user-assigned managed identity to an existing Azure virtual machine scale set:
Make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".
Retrieve the virtual machine scale set properties using the
Get-AzVMcmdlet. Then to assign a user-assigned managed identity to the virtual machine scale set, use the-IdentityTypeand-IdentityIDswitch on the Update-AzVmss cmdlet. Replace<VM NAME>,<SUBSCRIPTION ID>,<RESROURCE GROUP>,<USER ASSIGNED ID1>,USER ASSIGNED ID2with your own values.Important
When you create user-assigned managed identities, the name must start with a letter or number, and may include a combination of alphanumeric characters, hyphens (-) and underscores (_). For the assignment to a virtual machine or virtual machine scale set to work properly, the name is limited to 24 characters. For more information, see FAQs and known issues.
Update-AzVmss -ResourceGroupName <RESOURCE GROUP> -Name <VMSS NAME> -IdentityType UserAssigned -IdentityID "<USER ASSIGNED ID1>","<USER ASSIGNED ID2>"
Remove a user-assigned managed identity from an Azure virtual machine scale set
If your virtual machine scale set has multiple user-assigned managed identities, you can remove all but the last one using the following commands. Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's name property, which should remain on the virtual machine scale set. This information can be found in the identity section of the virtual machine scale set using az vmss show:
Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType UserAssigned -IdentityID "<USER ASSIGNED IDENTITY NAME>"
If your virtual machine scale set doesn't have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:
Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None
If your virtual machine scale set has both system-assigned and user-assigned managed identities, you can remove all the user-assigned managed identities by switching to use only system-assigned managed identity.
Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "SystemAssigned"
Next steps
For the full Azure VM creation Quickstarts, see:
Feedback
Kommer snart: I hele 2024 udfaser vi GitHub-problemer som feedbackmekanisme for indhold og erstatter det med et nyt feedbacksystem. Du kan få flere oplysninger under: https://aka.ms/ContentUserFeedback.
Indsend og få vist feedback om