Use managed identities to access Azure Key Vault certificates

A managed identity generated by Microsoft Entra ID allows your Azure Front Door instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages the identity resource, so you don't have to create or rotate any secrets. For more information about managed identities, see What are managed identities for Azure resources?.

Once you enable managed identity for Azure Front Door and grant proper permissions to access your Azure Key Vault, Front Door only uses managed identity to access the certificates. If you don't add the managed identity permission to your Key Vault, custom certificate autorotation and adding new certificates fails without permissions to Key Vault. If you disable managed identity, Azure Front Door falls back to using the original configured Microsoft Entra App. This solution isn't recommended and will be retired in the future.

You can grant two types of identities to an Azure Front Door profile:

  • A system-assigned identity is tied to your service and is deleted if your service is deleted. The service can have only one system-assigned identity.

  • A user-assigned identity is a standalone Azure resource that can be assigned to your service. The service can have multiple user-assigned identities.

Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you need to recreate and reconfigure the identity.

You also have the option to configure Azure Key Vault access using role-based access control (RBAC) or access policy.

Prerequisites

Before you can set up managed identity for Azure Front Door, you must have an Azure Front Door Standard or Premium profile created. To create a new Front Door profile, see create an Azure Front Door.

Enable managed identity

  1. Go to an existing Azure Front Door profile. Select Identity from under Security on the left side menu pane.

    Screenshot of the identity button under settings for a Front Door profile.

  2. Select either a System assigned or a User assigned managed identity.

    • System assigned - a managed identity is created for the Azure Front Door profile lifecycle and is used to access Azure Key Vault.

    • User assigned - a standalone managed identity resource is used to authenticate to Azure Key Vault and has its own lifecycle.

    System assigned

    1. Toggle the Status to On and then select Save.

      Screenshot of the system assigned managed identity configuration page.

    2. You're prompted with a message to confirm that you would like to create a system managed identity for your Front Door profile. Select Yes to confirm.

      Screenshot of the system assigned managed identity confirmation message.

    3. Once the system assigned managed identity gets created and registered with Microsoft Entra ID, you can use the Object (principal) ID to grant Azure Front Door access to your Azure Key Vault.

      Screenshot of the system assigned managed identity registered with Microsoft Entra ID.

    User assigned

    You must already have a user managed identity created. To create a new identity, see create a user assigned managed identity.

    1. In the User assigned tab, select + Add to add a user assigned managed identity.

      Screenshot of the user assigned managed identity configuration page.

    2. Search and select the user assigned manage identity. Then select Add to add the user managed identity to the Azure Front Door profile.

      Screenshot of the add user assigned managed identity page.

    3. You see the name of the user assigned managed identity you selected show in the Azure Front Door profile.

      Screenshot of the add user assigned managed identity added to Front Door profile.


Configure Key Vault access

  • Role-based access control - Grant Azure Front Door access to your Azure Key Vault with fine-grained access control with Azure Resource Manager.
  • Access policy - Native Azure Key Vault access control to grant Azure Front Door access to your Azure Key Vault.

For more information, see Azure role-based access control (Azure RBAC) vs. access policy.

Role-based access control (RBAC)

  1. Navigate to your Azure Key Vault. Select Access control (IAM) from under Settings and then select + Add. Select Add role assignment from the drop-down menu.

    Screenshot of the access control (IAM) page for a Key Vault.

  2. On the Add role assignment page, search for Key Vault Secret User in the search box. Then select Key Vault Secret User from the search results.

    Screenshot of the add role assignment page for a Key Vault.

  3. Select the Members tab and then select Managed identity. Select + Select members to add the managed identity to the role assignment.

    Screenshot of the members tab for the add role assignment page for a Key Vault.

  4. Select the system-assigned or user-assigned managed identity associated to your Azure Front Door and then select Select to add the managed identity to the role assignment.

    Screenshot of the select members page for the add role assignment page for a Key Vault.

  5. Select Review + assign to set up the role assignment.

    Screenshot of the review and assign page for the add role assignment page for a Key Vault.

Access policy

  1. Navigate to your Azure Key Vault. Select Access policies from under Settings and then select + Create.

    Screenshot of the access policies page for a Key Vault.

  2. On the Permissions tab of the Create an access policy page, select List and Get under Secret permissions. Then select Next to configure the principal tab.

    Screenshot of the permissions tab for the Key Vault access policy.

  3. On the Principal tab, paste the object (principal) ID if you're using a system managed identity or enter a name if you're using a user assigned manged identity. Then select Review + create tab. The Application tab is skipped since Azure Front Door gets selected for you already.

    Screenshot of the principal tab for the Key Vault access policy.

  4. Review the access policy settings and then select Create to set up the access policy.

    Screenshot of the review and create tab for the Key Vault access policy.

Verify access

  1. Go to the Azure Front Door profile you enabled managed identity and select Secrets from under Security.

    Screenshot of accessing secrets from under settings of a Front Door profile.

  2. Confirm Managed identity appears under the Access role column for the certificate used in Front Door. If you're setting up managed identity for the first time, you need to add a certificate to Front Door to see this column.

    Screenshot of Azure Front Door using managed identity to access certificate in Key Vault.

Next steps