Configure Managed Service Identity (MSI) on an Azure VM using Azure CLI

Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Managed Service Identity provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, you learn how to perform the following Managed Service Identity operations on an Azure VM, using the Azure CLI:

  • Enable and disable the system assigned identity on an Azure VM
  • Add and remove a user assigned identity on an Azure VM

Prerequisites

Open Azure Cloud Shell

Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Just select the Copy button to copy the code, paste it in Cloud Shell, and then press Enter to run it. There are a few ways to open Cloud Shell:

Select Try It in the upper-right corner of a code block. Cloud Shell in this article
Open Cloud Shell in your browser. https://shell.azure.com/bash
Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Cloud Shell in the portal

System assigned identity

In this section, you learn how to enable and disable the system assigned identity on an Azure VM using Azure CLI.

Enable system assigned identity during creation of an Azure VM

To create an Azure VM with the system assigned identity enabled:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM:

    az login
    
  2. Create a resource group for containment and deployment of your VM and its related resources, using az group create. You can skip this step if you already have resource group you would like to use instead:

    az group create --name myResourceGroup --location westus
    
  3. Create a VM using az vm create. The following example creates a VM named myVM with a system assigned identity, as requested by the --assign-identity parameter. The --admin-username and --admin-password parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

    az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --admin-username azureuser --admin-password myPassword12
    

Enable system assigned identity on an existing Azure VM

If you need to enable the system assigned identity on an existing VM:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”:

    az login
    
  2. Use az vm identity assign with the identity assign command enable the system assigned identity to an existing VM:

    az vm identity assign -g myResourceGroup -n myVm
    

Disable the system assigned identity from an Azure VM

Note

Disabling Managed Service Identity from a Virtual Machine is currently not supported. In the meantime, you can switch between using System Assigned and User Assigned Identities.

If you have a Virtual Machine that no longer needs the system assigned identity but still needs user assigned identities, use the following command:

az vm update -n myVM -g myResourceGroup --set identity.type='UserAssigned' 

To remove the MSI VM extension, user -n ManagedIdentityExtensionForWindows or -n ManagedIdentityExtensionForLinux switch (depending on the type of VM) with az vm extension delete:

az vm identity --resource-group myResourceGroup --vm-name myVm -n ManagedIdentityExtensionForWindows

User Assigned identity

In this section, you will learn how to add and remove a user assigned identity from an Azure VM, using Azure CLI.

Assign a user assigned identity during the creation of an Azure VM

This section walks you through creation of a VM with assignment of a user assigned identity. If you already have a VM you want to use, skip this section and proceed to the next.

  1. You can skip this step if you already have a resource group you would like to use. Create a resource group for containment and deployment of your MSI, using az group create. Be sure to replace the <RESOURCE GROUP> and <LOCATION> parameter values with your own values. :

    az group create --name <RESOURCE GROUP> --location <LOCATION>
    
  2. Create a user assigned identity using az identity create. The -g parameter specifies the resource group where the user assigned identity is created, and the -n parameter specifies its name.

    Important

    Creating user assigned identities only supports alphanumeric and hyphen (0-9 or a-z or A-Z or -) characters. Additionally, name should be limited to 24 character length for the assignment to VM/VMSS to work properly. Check back for updates. For more information see FAQs and known issues

```azurecli-interactive
az identity create -g myResourceGroup -n myUserAssignedIdentity
```

The response contains details for the user assigned identity created, similar to the following. The resource id value assigned to the user assigned identity is used in the following step.

{
     "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
     "clientSecretUrl": "https://control-westcentralus.identity.azure.net/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MSI NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
     "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MSI NAME>",
     "location": "westcentralus",
     "name": "<MSI NAME>",
     "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
     "resourceGroup": "<RESOURCE GROUP>",
     "tags": {},
     "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
     "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
}
  1. Create a VM using az vm create. The following example creates a VM associated with the new user assigned identity, as specified by the --assign-identity parameter. Be sure to replace the <RESOURCE GROUP>, <VM NAME>, <USER NAME>, <PASSWORD>, and <MSI ID> parameter values with your own values. For <MSI ID>, use the user assigned identity's resource id property created in the previous step:

    az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <MSI ID>
    

Assign a user assigned identity to an existing Azure VM

  1. Create a user assigned identity using az identity create. The -g parameter specifies the resource group where the user assigned identity is created, and the -n parameter specifies its name. Be sure to replace the <RESOURCE GROUP> and <MSI NAME> parameter values with your own values:

    Important

    Creating user assigned identities with special characters (i.e. underscore) in the name is not currently supported. Please use alphanumeric characters. Check back for updates. For more information see FAQs and known issues

    az identity create -g <RESOURCE GROUP> -n <MSI NAME>
    

    The response contains details for the user assigned MSI created, similar to the following. The resource id value assigned to the user assigned identity is used in the following step.

    {
         "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
         "clientSecretUrl": "https://control-westcentralus.identity.azure.net/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MSI NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
         "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MSI NAME>",
         "location": "westcentralus",
         "name": "<MSI NAME>",
         "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
         "resourceGroup": "<RESOURCE GROUP>",
         "tags": {},
         "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  2. Assign the user assigned identity to your VM using az vm identity assign. Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. The <MSI ID> will be the user assigned identity's resource id property, as created in the previous step:

    az vm identity assign -g <RESOURCE GROUP> -n <VM NAME> --identities <MSI ID>
    

Remove a user assigned identity from an Azure VM

Note

Removing all user assigned identities from a Virtual Machine is currently not supported, unless you have a system assigned identity.

If your VM has multiple user assigned identities, you can remove all but the last one using az vm identity remove. Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. The <MSI NAME> will be the user assigned identity's name property, which can be found by in the identity section of the VM using az vm show:

az vm identity remove -g <RESOURCE GROUP> -n <VM NAME> --identities <MSI NAME>

If your VM has both system assigned and user assigned identities, you can remove all the user assigned identities by switching to use only system assigned. Use the following command:

az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' identity.identityIds=null