Assign a managed identity access to a resource using PowerShell
|Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.|
Once you've configured an Azure resource with a managed identity, you can give the managed identity access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine's managed identity access to an Azure storage account using PowerShell.
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.
- If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
- If you don't already have an Azure account, sign up for a free account before continuing.
- Install the latest version of Azure PowerShell if you haven't already.
Use RBAC to assign a managed identity access to another resource
After you've enabled managed identity on an Azure resource, such as an Azure VM:
Sign in to Azure using the
Connect-AzAccountcmdlet. Use an account that is associated with the Azure subscription under which you have configured the managed identity:
In this example, we are giving an Azure VM access to a storage account. First we use Get-AzVM to get the service principal for the VM named
myVM, which was created when we enabled managed identity. Then, use New-AzRoleAssignment to give the VM Reader access to a storage account called
$spID = (Get-AzVM -ResourceGroupName myRG -Name myVM).identity.principalid New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Reader" -Scope "/subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/<myStorageAcct>"
- Managed identity for Azure resources overview
- To enable managed identity on an Azure VM, see Configure managed identities for Azure resources on an Azure VM using PowerShell.