Configure managed identities for Azure resources on an Azure VM using a templates

Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, using the Azure Resource Manager deployment template, you learn how to perform the following managed identities for Azure resources operations on an Azure VM:

Prerequisites

Azure Resource Manager templates

As with the Azure portal and scripting, Azure Resource Manager templates provide the ability to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based, including:

Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. Enabling a system or user-assigned managed identity on a new or existing VM is done in the same manner. Also, by default, Azure Resource Manager does an incremental update to deployments.

System-assigned managed identity

In this section, you will enable and disable a system-assigned managed identity using an Azure Resource Manager template.

Enable system-assigned managed identity during creation of an Azure VM or on an existing VM

  1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. To enable system-assigned managed identity, load the template into an editor, locate the Microsoft.Compute/virtualMachines resource of interest within the resources section and add the "identity" property at the same level as the "type": "Microsoft.Compute/virtualMachines" property. Use the following syntax:

    "identity": { 
        "type": "SystemAssigned"
    },
    
  3. (Optional) Add the VM managed identities for Azure resources extension as a resources element. This step is optional as you can use the Azure Instance Metadata Service (IMDS) identity endpoint, to retrieve tokens as well. Use the following syntax:

    Note

    The following example assumes a Windows VM extension (ManagedIdentityExtensionForWindows) is being deployed. You can also configure for Linux by using ManagedIdentityExtensionForLinux instead, for the "name" and "type" elements. The VM extension is planned for deprecation in January 2019.

    { 
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
        "apiVersion": "2018-06-01",
        "location": "[resourceGroup().location]",
        "dependsOn": [
            "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
        ],
        "properties": {
            "publisher": "Microsoft.ManagedIdentity",
            "type": "ManagedIdentityExtensionForWindows",
            "typeHandlerVersion": "1.0",
            "autoUpgradeMinorVersion": true,
            "settings": {
                "port": 50342
            },
            "protectedSettings": {}
        }
    }
    
  4. When you're done, the following sections should added to the resource section of your template and it should resemble the following:

    "resources": [
         {
             //other resource provider properties...
             "apiVersion": "2018-06-01",
             "type": "Microsoft.Compute/virtualMachines",
             "name": "[variables('vmName')]",
             "location": "[resourceGroup().location]",
             "identity": {
                 "type": "SystemAssigned",
                 },
             },
             {
             "type": "Microsoft.Compute/virtualMachines/extensions",
             "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForLinux')]",
             "apiVersion": "2018-06-01",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
             ],
             "properties": {
                 "publisher": "Microsoft.ManagedIdentity",
                 "type": "ManagedIdentityExtensionForWindows",
                 "typeHandlerVersion": "1.0",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "port": 50342
                 }
             }
         }
     ]
    

Assign a role the VM's system-assigned managed identity

After you have enabled system-assigned managed identity on your VM, you may want to grant it a role such as Reader access to the resource group in which it was created.

  1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. Load the template into an editor and add the following information to give your VM Reader access to the resource group in which it was created. Your template structure may vary depending on the editor and the deployment model you choose.

    Under the parameters section add the following:

    "builtInRoleType": {
          "type": "string",
          "defaultValue": "Reader"
        },
        "rbacGuid": {
          "type": "string"
        }
    

    Under the variables section add the following:

    "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
    

    Under the resources section add the following:

    {
        "apiVersion": "2017-09-01",
         "type": "Microsoft.Authorization/roleAssignments",
         "name": "[parameters('rbacGuid')]",
         "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
                "scope": "[resourceGroup().id]"
          },
          "dependsOn": [
                "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
            ]
    }
    

Disable a system-assigned managed identity from an Azure VM

If you have a VM that no longer needs a system-assigned managed identity:

  1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. Load the template into an editor and locate the Microsoft.Compute/virtualMachines resource of interest within the resources section. If you have a VM that only has system-assigned managed identity, you can disable it by changing the identity type to None.

    Microsoft.Compute/virtualMachines API version 2018-06-01

    If your VM has both system and user-assigned managed identities, remove SystemAssigned from the identity type and keep UserAssigned along with the userAssignedIdentities dictionary values.

    Microsoft.Compute/virtualMachines API version 2018-06-01 and earlier

    If your apiVersion is 2017-12-01 and your VM has both system and user-assigned managed identities, remove SystemAssigned from the identity type and keep UserAssigned along with the identityIds array of the user-assigned managed identities.

The following example shows you how remove a system-assigned managed identity from a VM with no user-assigned managed identities:

{
    "apiVersion": "2018-06-01",
    "type": "Microsoft.Compute/virtualMachines",
    "name": "[parameters('vmName')]",
    "location": "[resourceGroup().location]",
    "identity": { 
        "type": "None"
}

User-assigned managed identity

In this section, you assign a user-assigned managed identity to an Azure VM using Azure Resource Manager template.

Note

To create a user-assigned managed identity using an Azure Resource Manager Template, see Create a user-assigned managed identity.

Assign a user-assigned managed identity to an Azure VM

  1. Under the resources element, add the following entry to assign a user-assigned managed identity to your VM. Be sure to replace <USERASSIGNEDIDENTITY> with the name of the user-assigned managed identity you created.

    Microsoft.Compute/virtualMachines API version 2018-06-01

    If your apiVersion is 2018-06-01, your user-assigned managed identities are stored in the userAssignedIdentities dictionary format and the <USERASSIGNEDIDENTITYNAME> value must be stored in a variable defined in the variables section of your template.

    {
        "apiVersion": "2018-06-01",
        "type": "Microsoft.Compute/virtualMachines",
        "name": "[variables('vmName')]",
        "location": "[resourceGroup().location]",
        "identity": {
            "type": "userAssigned",
            "userAssignedIdentities": {
                "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {}
            }
         }
    }
    

    Microsoft.Compute/virtualMachines API version 2017-12-01 and earlier

    If your apiVersion is 2017-12-01, your user-assigned managed identities are stored in the identityIds array and the <USERASSIGNEDIDENTITYNAME> value must be stored in a variable defined in the variables section of your template.

    {
        "apiVersion": "2017-12-01",
        "type": "Microsoft.Compute/virtualMachines",
        "name": "[variables('vmName')]",
        "location": "[resourceGroup().location]",
        "identity": {
            "type": "userAssigned",
            "identityIds": [
                "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]"
            ]
        }
    }
    
  2. (Optional) Next, under the resources element, add the following entry to assign the managed identity extension to your VM (planned for deprecation in January 2019). This step is optional as you can use the Azure Instance Metadata Service (IMDS) identity endpoint, to retrieve tokens as well. Use the following syntax:

    {
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
        "apiVersion": "2018-06-01",
        "location": "[resourceGroup().location]",
        "dependsOn": [
            "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
        ],
        "properties": {
            "publisher": "Microsoft.ManagedIdentity",
            "type": "ManagedIdentityExtensionForWindows",
            "typeHandlerVersion": "1.0",
            "autoUpgradeMinorVersion": true,
            "settings": {
                "port": 50342
            }
        }
    }
    
  3. When you're done, the following sections should added to the resource section of your template and it should resemble the following:

    Microsoft.Compute/virtualMachines API version 2018-06-01

    "resources": [
         {
             //other resource provider properties...
             "apiVersion": "2018-06-01",
             "type": "Microsoft.Compute/virtualMachines",
             "name": "[variables('vmName')]",
             "location": "[resourceGroup().location]",
             "identity": {
                 "type": "userAssigned",
                 "userAssignedIdentities": {
                    "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {}
                 }
             }
         },
         {
             "type": "Microsoft.Compute/virtualMachines/extensions",
             "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForLinux')]",
             "apiVersion": "2018-06-01-preview",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
             ],
             "properties": {
                 "publisher": "Microsoft.ManagedIdentity",
                 "type": "ManagedIdentityExtensionForWindows",
                 "typeHandlerVersion": "1.0",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "port": 50342
             }
         }
        }
     ]
    

    Microsoft.Compute/virtualMachines API version 2017-12-01 and earlier

    "resources": [
         {
             //other resource provider properties...
             "apiVersion": "2017-12-01",
             "type": "Microsoft.Compute/virtualMachines",
             "name": "[variables('vmName')]",
             "location": "[resourceGroup().location]",
             "identity": {
                 "type": "userAssigned",
                 "identityIds": [
                    "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]"
                 ]
             }
         },
         {
             "type": "Microsoft.Compute/virtualMachines/extensions",
             "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForLinux')]",
             "apiVersion": "2015-05-01-preview",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
             ],
             "properties": {
                 "publisher": "Microsoft.ManagedIdentity",
                 "type": "ManagedIdentityExtensionForWindows",
                 "typeHandlerVersion": "1.0",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "port": 50342
             }
         }
        }
     ]
    

Remove a user-assigned managed identity from an Azure VM

If you have a VM that no longer needs a user-assigned managed identity:

  1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. Load the template into an editor and locate the Microsoft.Compute/virtualMachines resource of interest within the resources section. If you have a VM that only has user-assigned managed identity, you can disable it by changing the the identity type to None.

    The following example shows you how remove all user-assigned managed identities from a VM with no system-assigned managed identities:

     {
       "apiVersion": "2018-06-01",
       "type": "Microsoft.Compute/virtualMachines",
       "name": "[parameters('vmName')]",
       "location": "[resourceGroup().location]",
       "identity": { 
           "type": "None"
     }
    

    Microsoft.Compute/virtualMachines API version 2018-06-01 and earlier

    To remove a single user-assigned managed identity from a VM, remove it from the useraAssignedIdentities dictionary.

    If you have a system-assigned managed identity, keep it in the in the type value under the identity value.

    Microsoft.Compute/virtualMachines API version 2017-12-01

    To remove a a single user-assigned managed identity from a VM, remove it from the identityIds array.

    If you have a system-assigned managed identity, keep it in the in the type value under the identity value.

Next steps