Create and use managed identity

Important

Managed identity for Document Translation is currently unavailable in the global region. If you intend to use managed identity for Document Translation operations, create your Translator resource in a non-global Azure region.

What is managed identity?

Azure managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. You can use a managed identity to grant access to any resource that supports Azure AD authentication. To grant access, assign a role to a managed identity using Azure role-based access control (Azure RBAC). There is no added cost to use managed identity in Azure.

Managed identity supports both privately and publicly accessible Azure blob storage accounts. For storage accounts with public access, you can opt to use a shared access signature (SAS) to grant limited access. In this article, we will examine how to manage access to translation documents in your Azure blob storage account using system-assigned managed identity.

Prerequisites

To get started, you'll need:

Managed Identity assignments

There are two types of managed identity: system-assigned and user-assigned. Currently, Document Translation is supported by system-assigned managed identity. A system-assigned managed identity is enabled directly on a service instance. It is not enabled by default; you must go to your resource and update the identity setting. The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.

In the following steps, we'll enable a system-assigned managed identity and grant your Translator resource limited access to your Azure blob storage account.

Enable a system-assigned managed identity using the Azure portal

Important

To enable a system-assigned managed identity, you need Microsoft.Authorization/roleAssignments/write permissions, such as Owner or User Access Administrator. You can specify a scope at four levels: management group, subscription, resource group, or resource.

  1. Sign in to the Azure portal using an account associated with your Azure subscription.

  2. Navigate to your Translator resource page in the Azure portal.

  3. In the left rail, select Identity from the Resource Management list:

    Screenshot: resource management identity tab in the Azure portal.

  4. In the main window, toggle the System assigned Status tab to On.

  5. Under Permissions select Azure role assignments:

    Screenshot: enable system-assigned managed identity in Azure portal.

  6. An Azure role assignments page will open. Choose your subscription from the drop-down menu then select + Add role assignment.

    Screenshot: Azure role assignments page in the Azure portal.

    Note

    If you are unable to assign a role in the Azure portal because the Add > Add role assignment option is disabled or get the permissions error, "you do not have permissions to add role assignment at this scope", check that you are currently signed in as a user with an assigned a role that has Microsoft.Authorization/roleAssignments/write permissions such as Owner or User Access Administrator at the storage scope for the storage resource.

  7. Next, you're going to assign a Storage Blob Data Contributor role to your Translator service resource. In the Add role assignment pop-up window, complete the fields as follows and select Save:

    Field Value
    Scope Storage.
    Subscription The subscription associated with your storage resource.
    Resource The name of your storage resource.
    Role Storage Blob Data Contributor.

    Screenshot: add role assignments page in the Azure portal.

  8. After you've received the Added Role assignment confirmation message, refresh the page to see the added role assignment.

    Screenshot: Added role assignment confirmation pop-up message.

  9. If you don't see the change right away, wait and try refreshing the page once more. When you assign or remove role assignments, it can take up to 30 minutes for changes to take effect.

    Screenshot: Azure role assignments window.

Great! You have completed the steps to enable a system-assigned managed identity. With this identity credential, you can grant Translator specific access rights to your storage resource.

Next steps