Use a Linux VM Managed Service Identity to access Azure Resource Manager

Managed Service Identity is a public preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see the Supplemental Terms of Use for Microsoft Azure Previews.

This tutorial shows you how to enable Managed Service Identity for a Linux Virtual Machine, and then use that identity to access the Azure Resource Manager API. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication without needing to insert credentials into your code. You learn how to:

  • Enable Managed Service Identity on a Linux Virtual Machine
  • Grant your VM access to a Resource Group in Azure Resource Manager
  • Get an access token using the VM identity and use it to call Azure Resource Manager


If you're not familiar with the Managed Service Identity feature, see this overview. If you don't have an Azure account, sign up for a free account before you continue.

To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see Use Role-Based Access Control to manage access to your Azure subscription resources.

Sign in to Azure

Sign in to the Azure portal at

Create a Linux Virtual Machine in a new Resource Group

For this tutorial, we create a new Linux VM. You can also enable Managed Service Identity on an existing VM.

  1. Click the Create a resource button found on the upper left-hand corner of the Azure portal.
  2. Select Compute, and then select Ubuntu Server 16.04 LTS.
  3. Enter the virtual machine information. For Authentication type, select SSH public key or Password. The created credentials allow you to log in to the VM.

    Alt image text

  4. Choose a Subscription for the virtual machine in the dropdown.

  5. To select a new Resource Group you would like the virtual machine to be created in, choose Create New. When complete, click OK.
  6. Select the size for the VM. To see more sizes, select View all or change the Supported disk type filter. On the settings blade, keep the defaults and click OK.

Enable Managed Service Identity on your VM

A Virtual Machine Managed Service Identity enables you to get access tokens from Azure AD without you needing to put credentials into your code. Enabling Managed Service Identity on a VM, does two things: registers your VM with Azure Active Directory to create its managed identity, and it configures the identity on the VM.

  1. Select the Virtual Machine that you want to enable Managed Service Identity on.
  2. On the left navigation bar click Configuration.
  3. You see Managed Service Identity. To register and enable the Managed Service Identity, select Yes, if you wish to disable it, choose No.
  4. Ensure you click Save to save the configuration.

    Alt image text

Grant your VM access to a Resource Group in Azure Resource Manager

Using Managed Service Identity, your code can get access tokens to authenticate to resources that support Azure AD authentication. The Azure Resource Manager API supports Azure AD authentication. First, we need to grant this VM's identity access to a resource in Azure Resource Manager, in this case the Resource Group in which the VM is contained.

  1. Navigate to the tab for Resource Groups.
  2. Select the specific Resource Group you created earlier.
  3. Go to Access control(IAM) in the left panel.
  4. Click to Add a new role assignment for your VM. Choose Role as Reader.
  5. In the next dropdown, Assign access to the resource Virtual Machine.
  6. Next, ensure the proper subscription is listed in the Subscription dropdown. And for Resource Group, select All resource groups.
  7. Finally, in Select choose your Linux Virtual Machine in the dropdown and click Save.

    Alt image text

Get an access token using the VM's identity and use it to call Resource Manager

To complete these steps, you will need an SSH client. If you are using Windows, you can use the SSH client in the Windows Subsystem for Linux. If you need assistance configuring your SSH client's keys, see How to Use SSH keys with Windows on Azure, or How to create and use an SSH public and private key pair for Linux VMs in Azure.

  1. In the portal, navigate to your Linux VM and in the Overview, click Connect.
  2. Connect to the VM with the SSH client of your choice.
  3. In the terminal window, using CURL, make a request to the local Managed Service Identity endpoint to get an access token for Azure Resource Manager.

    The CURL request for the access token is below.

    curl '' -H Metadata:true   


    The value of the “resource” parameter must be an exact match for what is expected by Azure AD. In the case of the Resource Manager resource ID, you must include the trailing slash on the URI.

    The response includes the access token you need to access Azure Resource Manager.



    You can use this access token to access Azure Resource Manager, for example to read the details of the Resource Group to which you previously granted this VM access. Replace the values of <SUBSCRIPTION ID>, <RESOURCE GROUP>, and <ACCESS TOKEN> with the ones you created earlier.


    The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase “G” in “resourceGroup”.

    curl<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-09-01 -H "Authorization: Bearer <ACCESS TOKEN>" 

    The response back with the specific Resource Group information:


Next steps

In this tutorial, you learned how to create a user assigned identity and attach it to a Azure Virtual Machine to access the Azure Resource Manager API. To learn more about Azure Resource Manager see: