FAQs and known issues with Managed Service Identity (MSI) for Azure Active Directory

Managed Service Identity (MSI) is a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Frequently Asked Questions (FAQs)

Does MSI work with Azure Cloud Services?

No, there are no plans to support MSI in Azure Cloud Services.

Does MSI work with the Active Directory Authentication Library (ADAL) or the Microsoft Authentication Library (MSAL)?

No, MSI is not yet integrated with ADAL or MSAL. For details on acquiring an MSI token using the MSI REST endpoint, see How to use an Azure VM Managed Service Identity (MSI) for token acquisition.

What are the supported Linux distributions?

The following Linux distributions support MSI:

  • CoreOS Stable
  • CentOS 7.1
  • RedHat 7.2
  • Ubuntu 15.04

Other Linux distributions are currently not supported and extension might fail on unsupported distributions.

The extension works on CentOS 6.9. However, due to lack of system support in 6.9, the extension will not auto restart if crashed or stopped. It restarts when the VM restarts. To restart the extension manually, see How do you restart the MSI extension?

How do you restart the MSI extension?

On Windows and certain versions of Linux, if the extension stops, the following cmdlet may be used to manually restart it:

Set-AzureRmVMExtension -Name <extension name>  -Type <extension Type>  -Location <location> -Publisher Microsoft.ManagedIdentity -VMName <vm name> -ResourceGroupName <resource group name> -ForceRerun <Any string different from any last value used>

Where:

  • Extension name and type for Windows is: ManagedIdentityExtensionForWindows
  • Extension name and type for Linux is: ManagedIdentityExtensionForLinux

Known issues

"Automation script" fails when attempting schema export for MSI extension

When Managed Service Identity is enabled on a VM, the following error is shown when attempting to use the “Automation script” feature for the VM, or its resource group:

MSI automation script export error

The Managed Service Identity VM extension does not currently support the ability to export its schema to a resource group template. As a result, the generated template does not show configuration parameters to enable Managed Service Identity on the resource. These sections can be added manually by following the examples in Configure a VM Managed Service Identity by using a template.

When the schema export functionality becomes available for the MSI VM extension, it will be listed in Exporting Resource Groups that contain VM extensions.

Configuration blade does not appear in the Azure portal

If the VM Configuration blade does not appear on your VM, then MSI has not been enabled in the portal in your region yet. Check again later. You can also enable MSI for your VM using PowerShell or the Azure CLI.

Cannot assign access to virtual machines in the Access Control (IAM) blade

If Virtual Machine does not appear in the Azure portal as a choice for Assign access to in Access Control (IAM) > Add permissions, then Managed Service Identity has not been enabled in the portal in your region yet. Check again later. You can still select the Managed Service Identity for the role assignment by searching for the MSI’s Service Principal. Enter the name of the VM in the Select field, and the Service Principal appears in the search result.

VM fails to start after being moved from resource group or subscription

If you move a VM in the running state, it continues to run during the move. However, after the move, if the VM is stopped and restarted, it will fail to start. This issue happens because the VM is not updating the reference to the MSI identity and continues to point to it in the old resource group.

Workaround

Trigger an update on the VM so it can get correct values for the MSI. You can do a VM property change to update the reference to the MSI identity. For example, you can set a new tag value on the VM with the following command:

 az  vm update -n <VM Name> -g <Resource Group> --set tags.fixVM=1

This command sets a new tag "fixVM" with a value of 1 on the VM.

By setting this property, the VM updates with the correct MSI resource URI, and then you should be able to start the VM.

Once the VM is started, the tag can be removed by using following command:

az vm update -n <VM Name> -g <Resource Group> --remove tags.fixVM