Assign a Managed Service Identity (MSI) access to a resource using Azure CLI

Managed Service Identity (MSI) is a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Once you've configured an Azure resource with an MSI, you can give the MSI access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine's MSI access to an Azure storage account, using Azure CLI.


If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure account, sign up for a free account before continuing.

To run the CLI script examples, you have three options:

  • Use Azure Cloud Shell from the Azure portal (see next section).
  • Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
  • Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.

Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. Just click the Copy to copy the code, paste it into the Cloud Shell, and then press enter to run it. There are two ways to launch the Cloud Shell:

Click Try It in the upper right corner of a code block. Cloud Shell in this article
Click the Cloud Shell button on the menu in the upper right of the Azure portal. Cloud Shell in the portal

Use RBAC to assign the MSI access to another resource

After you've enabled MSI on an Azure resource, such as an Azure VM:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM:

    az login
  2. In this example, we are giving an Azure VM access to a storage account. First we use az resource list to get the service principal for the VM named "myVM", which was created when we enabled MSI on the VM:

    spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
  3. Once we have the service principal ID, we use az role assignment create to give the VM "Reader" access to a storage account called "myStorageAcct":

    az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct


If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled correctly. In our case, we can go back to the Azure VM in the Azure portal and:

  • Look at the "Configuration" page and ensure MSI enabled = "Yes."
  • Look at the "Extensions" page and ensure the MSI extension deployed successfully.

If either is incorrect, you may need to redeploy the MSI on your resource again, or troubleshoot the deployment failure.

Use the following comments section to provide feedback and help us refine and shape our content.