Configure a VM Managed Service Identity (MSI) using Azure CLI

Managed Service Identity (MSI) is a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Managed Service Identity provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, you will learn how to enable and remove MSI for an Azure VM, using Azure CLI.

Prerequisites

If you're unfamiliar with MSI, check out the Managed Service Identity overview.

If you don't already have an Azure account, sign up for a free account before continuing.

To run the CLI script examples, you have three options:

  • Use Azure Cloud Shell from the Azure portal (see next section).
  • Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
  • Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.

Launch Azure Cloud Shell

The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right of the Azure portal.

Cloud Shell

The button launches an interactive shell that you can use to run the steps in this topic:

Screenshot showing the Cloud Shell window in the portal

Enable MSI during creation of an Azure VM

To create an MSI-enabled VM:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM:

    az login
    
  2. Create a resource group for containment and deployment of your VM and its related resources, using az group create. You can skip this step if you already have resource group you would like to use instead:

    az group create --name myResourceGroup --location westus
    
  3. Create a VM using az vm create. The following example creates a VM named myVM with an MSI, as requested by the --assign-identity parameter. The --admin-username and --admin-password parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

    az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --admin-username azureuser --admin-password myPassword12
    

Enable MSI on an existing Azure VM

If you need to enable MSI on an existing Virtual Machine:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”:

    az login
    
  2. Use az vm assign-identity with the --assign-identity parameter to add an MSI to an existing VM:

    az vm assign-identity -g myResourceGroup -n myVm
    

Remove MSI from an Azure VM

If you have a Virtual Machine that no longer needs an MSI:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”:

    az login
    
  2. Use the -n ManagedIdentityExtensionForWindows or -n ManagedIdentityExtensionForLinux switch (depending on the type of VM) with az vm extension delete to remove the MSI:

    az vm extension delete --resource-group myResourceGroup --vm-name myVm -n ManagedIdentityExtensionForWindows
    

Use the following comments section to provide feedback and help us refine and shape our content.