Assign a Managed Service Identity access to a resource by using the Azure portal

Managed Service Identity (MSI) is a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

After you've configured an Azure resource with a Managed Service Identity (MSI), you can give the MSI access to another resource, just like any security principal. This article shows you how to give an Azure virtual machine's MSI access to an Azure storage account, by using the Azure portal.


If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure account, sign up for a free account before continuing.

Use RBAC to assign the MSI access to another resource

After you've enabled MSI on an Azure resource, such as an Azure VM:

  1. Sign in to the Azure portal using an account associated with the Azure subscription under which you have configured the MSI.

  2. Navigate to the desired resource on which you want to modify access control. In this example, we are giving an Azure VM access to a storage account, so we navigate to the storage account.

  3. Select the Access control (IAM) page of the resource, and select + Add. Then specify the Role, Assign access to Virtual Machine, and specify the corresponding Subscription and Resource Group where the resource resides. Under the search criteria area, you should see the resource. Select the resource, and select Save.

    Access control (IAM) screenshot

  4. You are returned to the main Access control (IAM) page, where you see a new entry for the resource's MSI. In this example, the "SimpleWinVM" VM from the Demo Resource Group has Contributor access to the storage account.

    Access control (IAM) screenshot


If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled correctly. In our case, we can go back to the Azure VM, and check the following:

  • Look at the Configuration page and ensure that the value for MSI enabled is Yes.
  • Look at the Extensions page and ensure that the MSI extension deployed successfully.

If either is incorrect, you might need to redeploy the MSI on your resource again, or troubleshoot the deployment failure.