Create, list, or delete a user-assigned managed identity using Azure PowerShell

Managed identities for Azure resources provide Azure services with a managed identity in Azure Active Directory. You can use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code.

In this article, you learn how to create, list, and delete a user-assigned managed identity using Azure PowerShell.

Note

This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Prerequisites

Configure Azure PowerShell locally

To use Azure PowerShell locally for this article (rather than using Cloud Shell), complete the following steps:

  1. Install the latest version of Azure PowerShell if you haven't already.

  2. Sign in to Azure:

    Connect-AzAccount
    
  3. Install the latest version of PowerShellGet.

    Install-Module -Name PowerShellGet -AllowPrerelease
    

    You may need to Exit out of the current PowerShell session after you run this command for the next step.

  4. Install the prerelease version of the Az.ManagedServiceIdentity module to perform the user-assigned managed identity operations in this article:

    Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease
    

Create a user-assigned managed identity

To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

To create a user-assigned managed identity, use the New-AzUserAssignedIdentity command. The ResourceGroupName parameter specifies the resource group where to create the user-assigned managed identity, and the -Name parameter specifies its name. Replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

Important

When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. Check back for updates. For more information, see FAQs and known issues.

New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGNED IDENTITY NAME>

List user-assigned managed identities

To list/read a user-assigned managed identity, your account needs the Managed Identity Operator or Managed Identity Contributor role assignment.

To list user-assigned managed identities, use the [Get-AzUserAssigned] command. The -ResourceGroupName parameter specifies the resource group where the user-assigned managed identity was created. Replace the <RESOURCE GROUP> with your own value:

Get-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP>

In the response, user-assigned managed identities have "Microsoft.ManagedIdentity/userAssignedIdentities" value returned for key, Type.

Type :Microsoft.ManagedIdentity/userAssignedIdentities

Delete a user-assigned managed identity

To delete a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

To delete a user-assigned managed identity, use the Remove-AzUserAssignedIdentity command. The -ResourceGroupName parameter specifies the resource group where the user-assigned identity was created and the -Name parameter specifies its name. Replace the <RESOURCE GROUP> and the <USER ASSIGNED IDENTITY NAME> parameters values with your own values:

Remove-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP> -Name <USER ASSIGNED IDENTITY NAME>

Note

Deleting a user-assigned managed identity will not remove the reference, from any resource it was assigned to. Identity assignments need to be removed separately.

Next steps

For a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see Az.ManagedServiceIdentity.