Configure managed identities for Azure resources on a VM using the Azure portal

Managed identities for Azure resources is a feature of Microsoft Entra ID. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Managed identities for Azure resources provides Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.

In this article, you learn how to enable and disable system and user-assigned managed identities for an Azure Virtual Machine (VM), using the Azure portal.

Prerequisites

System-assigned managed identity

In this section, you learn how to enable and disable the system-assigned managed identity for VM using the Azure portal.

Enable system-assigned managed identity during creation of a VM

To enable system-assigned managed identity on a VM during its creation, your account needs the Virtual Machine Contributor role assignment. No other Microsoft Entra directory role assignments are required.

  • Under the Management tab in the Identity section, switch Managed service identity to On.

Enable system-assigned identity during VM creation

Refer to the following Quickstarts to create a VM:

Enable system-assigned managed identity on an existing VM

Tip

Steps in this article might vary slightly based on the portal you start from.

To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the Virtual Machine Contributor role assignment. No other Microsoft Entra directory role assignments are required.

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. Navigate to the desired Virtual Machine and select Identity.

  3. Under System assigned, Status, select On and then click Save:

    Screenshot that shows the "Identity (preview)" page with the "System assigned" status set to "On".

Remove system-assigned managed identity from a VM

To remove system-assigned managed identity from a VM, your account needs the Virtual Machine Contributor role assignment. No other Microsoft Entra directory role assignments are required.

If you have a Virtual Machine that no longer needs system-assigned managed identity:

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. Navigate to the desired Virtual Machine and select Identity.

  3. Under System assigned, Status, select Off and then click Save:

    Configuration page screenshot

User-assigned managed identity

In this section, you learn how to add and remove a user-assigned managed identity from a VM using the Azure portal.

Assign a user-assigned identity during the creation of a VM

To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. No other Microsoft Entra directory role assignments are required.

Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a VM. Instead, refer to one of the following VM creation Quickstart articles to first create a VM, and then proceed to the next section for details on assigning a user-assigned managed identity to the VM:

Assign a user-assigned managed identity to an existing VM

To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. No other Microsoft Entra directory role assignments are required.

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. Navigate to the desired VM and click Identity, User assigned and then +Add.

    Screenshot that shows the "Identity" page with "User assigned" selected and the "Add" button highlighted.

  3. Click the user-assigned identity you want to add to the VM and then click Add.

    Add user-assigned managed identity to VM

Remove a user-assigned managed identity from a VM

To remove a user-assigned identity from a VM, your account needs the Virtual Machine Contributor role assignment. No other Microsoft Entra directory role assignments are required.

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. Navigate to the desired VM and select Identity, User assigned, the name of the user-assigned managed identity you want to delete and then click Remove (click Yes in the confirmation pane).

    Remove user-assigned managed identity from a VM

Next steps