Configure a VM Managed Service Identity (MSI) using PowerShell

Managed Service Identity (MSI) is a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Managed Service Identity provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, you learn how to enable and remove MSI for an Azure VM, using PowerShell.

Prerequisites

If you're unfamiliar with MSI, check out the Managed Service Identity overview.

If you don't already have an Azure account, sign up for a free account before continuing.

Also, install Azure PowerShell version 4.3.1 if you haven't already.

Enable MSI during creation of an Azure VM

To create an MSI-enabled VM:

  1. Refer to one of the following Azure VM Quickstarts, completing only the necessary sections ("Log in to Azure", "Create resource group", "Create networking group", "Create the VM").

    Important

    When you get to the "Create the VM" section, make a slight modification to the New-AzureRmVMConfig cmdlet syntax. Be sure to add a -IdentityType "SystemAssigned" parameter to provision the VM with an MSI, for example:

    $vmConfig = New-AzureRmVMConfig -VMName myVM -IdentityType "SystemAssigned" ...

  2. Add the MSI VM extension using the -Type parameter on the Set-AzureRmVMExtension cmdlet. You can pass either "ManagedIdentityExtensionForWindows" or "ManagedIdentityExtensionForLinux", depending on the type of VM, and name it using the -Name parameter. The -Settings parameter specifies the port used by the OAuth token endpoint for token acquisition:

    $settings = @{ "port" = 50342 }
    Set-AzureRmVMExtension -ResourceGroupName myResourceGroup -Location WestUS -VMName myVM -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Settings $settings 
    

Enable MSI on an existing Azure VM

If you need to enable MSI on an existing Virtual Machine:

  1. Sign in to Azure using Login-AzureRmAccount. Use an account that is associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”:

    Login-AzureRmAccount
    
  2. First retrieve the VM properties using the Get-AzureRmVM cmdlet. Then to enable MSI, use the -IdentityType switch on the Update-AzureRmVM cmdlet:

    $vm = Get-AzureRmVM -ResourceGroupName myResourceGroup -Name myVM
    Update-AzureRmVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType "SystemAssigned"
    
  3. Add the MSI VM extension using the -Type parameter on the Set-AzureRmVMExtension cmdlet. You can pass either "ManagedIdentityExtensionForWindows" or "ManagedIdentityExtensionForLinux", depending on the type of VM, and name it using the -Name parameter. The -Settings parameter specifies the port used by the OAuth token endpoint for token acquisition. Be sure to specify the correct -Location parameter, matching the location of the existing VM:

    $settings = @{ "port" = 50342 }
    Set-AzureRmVMExtension -ResourceGroupName myResourceGroup -Location WestUS -VMName myVM -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Settings $settings 
    

Remove MSI from an Azure VM

If you have a Virtual Machine that no longer needs an MSI, you can use the RemoveAzureRmVMExtension cmdlet to remove MSI from the VM:

  1. Sign in to Azure using Login-AzureRmAccount. Use an account that is associated with the Azure subscription that contains the VM. Also make sure your account belongs to a role that gives you write permissions on the VM, such as “Virtual Machine Contributor”:

    Login-AzureRmAccount
    
  2. Use the -Name switch with the Remove-AzureRmVMExtension cmdlet, specifying the same name you used when you added the extension:

    Remove-AzureRmVMExtension -ResourceGroupName myResourceGroup -Name "ManagedIdentityExtensionForWindows" -VMName myVM
    

Use the following comments section to provide feedback and help us refine and shape our content.