Assign a managed identity access to a resource using PowerShell
Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.
Once you've configured an Azure resource with a managed identity, you can give the managed identity access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine's managed identity access to an Azure storage account using PowerShell.
This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
- If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
- If you don't already have an Azure account, sign up for a free account before continuing.
- To run the example scripts, you have two options:
Use Azure RBAC to assign a managed identity access to another resource
Enable managed identity on an Azure resource, such as an Azure VM.
In this example, we are giving an Azure VM access to a storage account. First we use Get-AzVM to get the service principal for the VM named
myVM, which was created when we enabled managed identity. Then, use New-AzRoleAssignment to give the VM Reader access to a storage account called
$spID = (Get-AzVM -ResourceGroupName myRG -Name myVM).identity.principalid New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Reader" -Scope "/subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/<myStorageAcct>"
- Managed identity for Azure resources overview
- To enable managed identity on an Azure VM, see Configure managed identities for Azure resources on an Azure VM using PowerShell.