Create, list or delete a user-assigned managed identity using Azure PowerShell

User assigned managed identities are a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Managed identities for Azure resources provides Azure services with a managed identity in Azure Active Directory. You can use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code.

In this article, you learn how to create, list and delete a user-assigned managed identity using Azure PowerShell.

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Prerequisites

  • If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
  • If you don't already have an Azure account, sign up for a free account before continuing.
  • Install the latest version of Azure PowerShell if you haven't already.
  • If you are running PowerShell locally, you also need to:
    • Run Connect-AzAccount to create a connection with Azure.
    • Install the latest version of PowerShellGet.
    • Run Install-Module -Name PowerShellGet -AllowPrerelease to get the pre-release version of the PowerShellGet module (you may need to Exit out of the current PowerShell session after you run this command to install the Az.ManagedServiceIdentity module).
    • Run Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease to install the prerelease version of the Az.ManagedServiceIdentity module to perform the user-assigned managed identity operations in this article.

Create a user-assigned managed identity

To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

To create a user-assigned managed identity, use the New-AzUserAssignedIdentity command. The ResourceGroupName parameter specifies the resource group where to create the user-assigned managed identity, and the -Name parameter specifies its name. Replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

Important

When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. Check back for updates. For more information, see FAQs and known issues.

New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGNED IDENTITY NAME>

List user-assigned managed identities

To list/read a user-assigned managed identity, your account needs the Managed Identity Operator or Managed Identity Contributor role assignment.

To list user-assigned managed identities, use the [Get-AzUserAssigned] command. The -ResourceGroupName parameter specifies the resource group where the user-assigned managed identity was created. Replace the <RESOURCE GROUP> with your own value:

Get-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP>

In the response, user-assigned managed identities have "Microsoft.ManagedIdentity/userAssignedIdentities" value returned for key, Type.

Type :Microsoft.ManagedIdentity/userAssignedIdentities

Delete a user-assigned managed identity

To delete a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

To delete a user-assigned managed identity, use the Remove-AzUserAssignedIdentity command. The -ResourceGroupName parameter specifies the resource group where the user-assigned identity was created and the -Name parameter specifies its name. Replace the <RESOURCE GROUP> and the <USER ASSIGNED IDENTITY NAME> parameters values with your own values:

Remove-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP> -Name <USER ASSIGNED IDENTITY NAME>

Note

Deleting a user-assigned managed identity will not remove the reference, from any resource it was assigned to. Identity assignments need to be removed separately.

Next steps

For a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see Az.ManagedServiceIdentity.