Assign a Managed Service Identity access to a resource by using the Azure portal
After you've configured an Azure resource with a Managed Service Identity (MSI), you can give the MSI access to another resource, just like any security principal. This article shows you how to give an Azure virtual machine's MSI access to an Azure storage account, by using the Azure portal.
Use RBAC to assign the MSI access to another resource
After you've enabled MSI on an Azure resource, such as an Azure VM:
Sign in to the Azure portal using an account associated with the Azure subscription under which you have configured the MSI.
Navigate to the desired resource on which you want to modify access control. In this example, we are giving an Azure VM access to a storage account, so we navigate to the storage account.
Select the Access control (IAM) page of the resource, and select + Add. Then specify the Role, Assign access to Virtual Machine, and specify the corresponding Subscription and Resource Group where the resource resides. Under the search criteria area, you should see the resource. Select the resource, and select Save.
You are returned to the main Access control (IAM) page, where you see a new entry for the resource's MSI. In this example, the "SimpleWinVM" VM from the Demo Resource Group has Contributor access to the storage account.
If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled correctly. In our case, we can go back to the Azure VM, and check the following:
- Look at the Configuration page and ensure that the value for MSI enabled is Yes.
- Look at the Extensions page and ensure that the MSI extension deployed successfully.
If either is incorrect, you might need to redeploy the MSI on your resource again, or troubleshoot the deployment failure.
- For an overview of MSI, see Managed Service Identity overview.
- To enable MSI on an Azure VM, see Configure an Azure VM Managed Service Identity (MSI) using the Azure portal.