@Shahar Glazner , I tested the both the "User Assigned Managed Identity" and "System Assigned Managed Identity" fro a VM.
PS C:\windows\system32> az vm identity show --resource-group MyRG --name Win10ClientVM
{
"principalId": "0026b60a-0c5c-46f5-91bf-b52a3e20d326",
"tenantId": "xxxx-xxxx-xxxxx-xxxxxx",
"type": "SystemAssigned, UserAssigned",
"userAssignedIdentities": {
"/subscriptions/xxxx-xxxx-xxxx-xxxxxx/resourceGroups/MyRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UMSI1": {
"clientId": "065a5b93-d459-428d-a156-3b523dd8aa91",
"principalId": "d8c1b46c-3a3d-45e8-8380-dbd41279874c"
}
}
}
Ideally, if you use the following command, you should get a token issued to System Assigned Managed Identity
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -UseBasicParsing -Method GET -Headers @{Metadata="true"}
While, if you use the following command, with the ObjectID mentioned in it, you should get the token issued the User Assigned Managed Identity object.
$response1 = Invoke-WebRequest -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=d8c1b46c-3a3d-45e8-8380-dbd41279874c" -UseBasicParsing -Method GET -Headers @{Metadata="true"}
This is irrespective of that fact that whether you had enabled the System Assigned Managed Identity first or User Assigned Managed Identity first.
Hope this helps. Do let us know if more queries pop up around this so that we can help you further.
---------------------------------------------------------------------------------------------------------------------------------------
Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!