This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESY%3C/text%3E%3C/svg%3E)
Summary: Azure Marketplace VM image created by DevTest Labs did not get assigned the system-assigned managed identity upon creation
Steps:
az vm identity show -n vm07 -g LAB0123456791000Result:
Desired:
Workaround:
az login and go through webpage authentication using my personal credentials -> urgh az vm identity assign --role Reader --identities [system] -n vm07 -g LAB0123456791000--scope /subscriptions/123-234-3456-567 to assign the identity -> pain
I'm also open to suggestions on better ways to do this - but this DevTest Lab should outlive me - I may leave the company and my credentials will be invalidated - but the VM should still be able to function...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 35%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Sameer Youssef ,
Welcome to Microsoft QnA.
Are you seeing something like this on the Portal under Identity of your DevTest Lab?
Yes - https://ibb.co/5K5RrSH
But the system identity is not automatically assigned to my VM - have to assign it myself to the VM after logging into AZ with my personal credentials.
@Sameer Youssef , oh is it? Let me give it a quick check, as far as I remember mine got assigned automatically, but let me verify once again and get back to you on this in sometime.
Hi @Sameer Youssef , I recreated a devtest lab in my test environment and the system managed identity gets assigned automatically. Could you please re-check if you have a lab environment of your own (non-prod) ? Let me know. Thanks
Thank you for looking into this @srbhatta-msft :)
So these are my steps:
- Log into portal.azure.com under tenant with offer Enterprise Agreement
- Using an existing subscription create a DevTest Lab - and set it to use a new resource group
- Create a VM within the lab - image Free SQL Server License: SQL Server 2019 Developer on Windows Server 2022
- Remote desktop connect into VM
- Install Azure CLI with command `$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi`
- In a new PowerShell session type `az login --identity`
- Alternatively simply run `$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}` as suggested by https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm.md
In my case the VM returns `Invoke-WebRequest : {"error":"invalid_request","error_description":"Identity not found"}`
According to https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md we see:
System-assigned managed identity ... Creation ... Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service).
Have you had a chance to review my post below? Thanks.
Hi @Sameer Youssef , I am not able to repro this at my end. I'd recommend you to open a support case with Azure Support on this. Incase if you don't have a support plan enabled on your subscription, do let me know, and I can help you with a one-time free support.
Hi Sameer,
Have you seen this preview feature for automatically assigning managed identities using Azure Policy?
how-to-assign-managed-identity-via-azure-policy
Hi David - thanks - Azure Policy seems like it could be used - but it contradicts their preference "it is recommended to use user-assigned managed identities, which can be created once and shared across multiple VMs" so I'll be hard pressed to find an example to show me how it is done.
@David Broggy I can't help but notice az login suggests:
Log in using a VM's system-assigned managed identity.
az login --identity
Which lead me to believe the DevTest Lab's System Assigned identity would be pre-available on the VM.
Could it be that DevTest Lab's VM don't get assigned this identity?