What are managed identities for Azure resources?
A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens. For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.
What can a managed identity be used for?
Here are some of the benefits of using Managed identities:
- You don't need to manage credentials. Credentials are not even accessible to you.
- You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications.
- Managed identities can be used without any additional cost.
Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).
Managed identity types
There are two types of managed identities:
- System-assigned Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
- User-assigned You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.
The table below shows the differences between the two types of managed identities.
|Property||System-assigned managed identity||User-assigned managed identity|
|Creation||Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service)||Created as a stand-alone Azure resource|
|Life cycle||Shared life cycle with the Azure resource that the managed identity is created with.
When the parent resource is deleted, the managed identity is deleted as well.
|Independent life cycle.
Must be explicitly deleted.
|Sharing across Azure resources||Cannot be shared.
It can only be associated with a single Azure resource.
|Can be shared
The same user-assigned managed identity can be associated with more than one Azure resource.
|Common use cases||Workloads that are contained within a single Azure resource
Workloads for which you need independent identities.
For example, an application that runs on a single virtual machine
|Workloads that run on multiple resources and which can share a single identity.
Workloads that need pre-authorization to a secure resource as part of a provisioning flow.
Workloads where resources are recycled frequently, but permissions should stay consistent.
For example, a workload where multiple virtual machines need to access the same resource
Regardless of the type of identity chosen a managed identity is a service principal of a special type that may only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed.
How can I use managed identities for Azure resources?
Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.
Which operations can I perform using managed identities?
Resources that support system assigned managed identities allow you to:
- Enable or disable managed identities at the resource level.
- Use RBAC roles to grant permissions.
- View create, read, update, delete (CRUD) operations in Azure Activity logs.
- View sign-in activity in Azure AD sign-in logs.
If you choose a user assigned managed identity instead:
- You can create, read, update, delete the identities.
- You can use RBAC role assignments to grant permissions.
- User assigned managed identities can be used on more than one resource.
- CRUD operations are available for review in Azure Activity logs.
- View sign-in activity in Azure AD sign-in logs.
Operations on managed identities may be performed by using an Azure Resource Manager (ARM) template, the Azure portal, the Azure CLI, PowerShell, and REST APIs.
- Use a Windows VM system-assigned managed identity to access Resource Manager
- Use a Linux VM system-assigned managed identity to access Resource Manager
- How to use managed identities for App Service and Azure Functions
- How to use managed identities with Azure Container Instances
- Implementing Managed Identities for Microsoft Azure Resources.