Managed identity for Data Factory

APPLIES TO: Azure Data Factory Azure Synapse Analytics (Preview)

This article helps you understand what is managed identity for Data Factory (formerly known as Managed Service Identity/MSI) and how it works.


This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.


When creating a data factory, a managed identity can be created along with factory creation. The managed identity is a managed application registered to Azure Active Directory, and represents this specific data factory.

Managed identity for Data Factory benefits the following features:

Generate managed identity

Managed identity for Data Factory is generated as follows:

  • When creating data factory through Azure portal or PowerShell, managed identity will always be created automatically.
  • When creating data factory through SDK, managed identity will be created only if you specify "Identity = new FactoryIdentity()" in the factory object for creation. See example in .NET quickstart - create data factory.
  • When creating data factory through REST API, managed identity will be created only if you specify "identity" section in request body. See example in REST quickstart - create data factory.

If you find your data factory doesn't have a managed identity associated following retrieve managed identity instruction, you can explicitly generate one by updating the data factory with identity initiator programmatically:


  • Managed identity cannot be modified. Updating a data factory which already have a managed identity won't have any impact, the managed identity is kept unchanged.
  • If you update a data factory which already have a managed identity without specifying "identity" parameter in the factory object or without specifying "identity" section in REST request body, you will get an error.
  • When you delete a data factory, the associated managed identity will be deleted along.

Generate managed identity using PowerShell

Call Set-AzDataFactoryV2 command again, then you see "Identity" fields being newly generated:

PS C:\WINDOWS\system32> Set-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName> -Location <region>

DataFactoryName   : ADFV2DemoFactory
DataFactoryId     : /subscriptions/<subsID>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/ADFV2DemoFactory
ResourceGroupName : <resourceGroupName>
Location          : East US
Tags              : {}
Identity          : Microsoft.Azure.Management.DataFactory.Models.FactoryIdentity
ProvisioningState : Succeeded

Generate managed identity using REST API

Call below API with "identity" section in the request body:

PATCH<subsID>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/<data factory name>?api-version=2018-06-01

Request body: add "identity": { "type": "SystemAssigned" }.

    "name": "<dataFactoryName>",
    "location": "<region>",
    "properties": {},
    "identity": {
        "type": "SystemAssigned"

Response: managed identity is created automatically, and "identity" section is populated accordingly.

    "name": "<dataFactoryName>",
    "tags": {},
    "properties": {
        "provisioningState": "Succeeded",
        "loggingStorageAccountKey": "**********",
        "createTime": "2017-09-26T04:10:01.1135678Z",
        "version": "2018-06-01"
    "identity": {
        "type": "SystemAssigned",
        "principalId": "765ad4ab-XXXX-XXXX-XXXX-51ed985819dc",
        "tenantId": "72f988bf-XXXX-XXXX-XXXX-2d7cd011db47"
    "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/ADFV2DemoFactory",
    "type": "Microsoft.DataFactory/factories",
    "location": "<region>"

Generate managed identity using an Azure Resource Manager template

Template: add "identity": { "type": "SystemAssigned" }.

    "contentVersion": "",
    "$schema": "",
    "resources": [{
        "name": "<dataFactoryName>",
        "apiVersion": "2018-06-01",
        "type": "Microsoft.DataFactory/factories",
        "location": "<region>",
        "identity": {
			"type": "SystemAssigned"

Generate managed identity using SDK

Call the data factory create_or_update function with Identity=new FactoryIdentity(). Sample code using .NET:

Factory dataFactory = new Factory
    Location = <region>,
    Identity = new FactoryIdentity()
client.Factories.CreateOrUpdate(resourceGroup, dataFactoryName, dataFactory);

Retrieve managed identity

You can retrieve the managed identity from Azure portal or programmatically. The following sections show some samples.


If you don't see the managed identity, generate managed identity by updating your factory.

Retrieve managed identity using Azure portal

You can find the managed identity information from Azure portal -> your data factory -> Properties.

  • Managed Identity Object ID
  • Managed Identity Tenant
  • Managed Identity Application ID

The managed identity information will also show up when you create linked service, which supports managed identity authentication, like Azure Blob, Azure Data Lake Storage, Azure Key Vault, etc.

When granting permission, use object ID or data factory name (as managed identity name) to find this identity.

Retrieve managed identity using PowerShell

The managed identity principal ID and tenant ID will be returned when you get a specific data factory as follows. Use the PrincipalId to grant access:

PS C:\WINDOWS\system32> (Get-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName>).Identity

PrincipalId                          TenantId
-----------                          --------
765ad4ab-XXXX-XXXX-XXXX-51ed985819dc 72f988bf-XXXX-XXXX-XXXX-2d7cd011db47

You can get the application ID by copying above principal ID, then running below Azure Active Directory command with principal ID as parameter.

PS C:\WINDOWS\system32> Get-AzADServicePrincipal -ObjectId 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc

ServicePrincipalNames : {76f668b3-XXXX-XXXX-XXXX-1b3348c75e02,}
ApplicationId         : 76f668b3-XXXX-XXXX-XXXX-1b3348c75e02
DisplayName           : ADFV2DemoFactory
Id                    : 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc
Type                  : ServicePrincipal

Retrieve managed identity using REST API

The managed identity principal ID and tenant ID will be returned when you get a specific data factory as follows.

Call below API in the request:


Response: You will get response like shown in below example. The "identity" section is populated accordingly.




To retrieve the managed identity from an ARM template, add an outputs section in the ARM JSON:

            "value":"[reference(resourceId('Microsoft.DataFactory/factories', parameters('<dataFactoryName>')), '2018-06-01', 'Full').identity.principalId]"

Next steps

See the following topics that introduce when and how to use data factory managed identity:

See Managed Identities for Azure Resources Overview for more background on managed identities for Azure resources, which data factory managed identity is based upon.