What are managed IDs?
- Provide a auto managed ID in Entra for apps to use when connecting to resource that support entra auth
- Apps can use managed IDs to obtain Entra tokens without having to manage any credentials
What are system assigned managed IDs (SMIs)?
- Enabled directly on an azure service instance, created as part of that instance
- creates an ID for the instance in entra tenant trusted by the subscription of the instance
- credentials are then provisioned onto the instance
- lifecycle is tied to the service instance that its enabled on
- cant be shared, only tied to resource its assigned to
What are user managed IDs (UMIs)?
- standalone resource
- Azure created ID in entra tenant thats trusted by sub in use
- ID that can be assigned to one or more service instances
- seperate lifecycle from the resource to which its assigned
What would a SMI be used?
- Workloads contained within a single resource
- Workloads needing independent Identities
- E.g. app that runs on a single VM
When would a UMI be used?
- Workloads that run on multiple resources and can share a single ID
- Workloads needing preauth to secure resource as part of a provisioning flow
- Workloads where resources are recycled frequently but perms should stay consistent
e.g. a workload where multiple VMs ned to access the same resource
How do SMIs work with Azure VM?
- ARM receives a request to enable the SMI on a VM
- ARM creates service principal in Entra for the ID of the VM
- ARM configures the ID on the VM by updating the Azure Instance Metadata service identity endpoint with the service principal client ID and cert
- After the VM has an ID, use the service principal info to grant the VM access to the resource
- Code thats running on VM can request a token from Azure Instance Metadata Service endpoint accessible only from within the VM
- A call is made to Entra ID to request an access token by using Client ID and cert configured in step 3
- Entra returns JWT access token
- Code sends the token on a call to a service that supports entra
How do UMIs work with Azure VM?
- ARM receives a request to create a UMI
- ARM creates service principal in entra for UMI
- ARM receives a request to configure the UMI on a VM and updates the Azure Instance Metadata service Identity endpoint with the UMI service principal client ID and cert
- After UMI is created use the service principal info to grant the ID access to resources
- Code thats running on VM can request a token from Azure Instance Metadata Service endpoint accessible only from within the VM
- A call is made to Entra ID to request an access token by using Client ID and cert configured in step 3
- Entra returns JWT access token
- Code sends the token on a call to a service that supports entra
What role is needed to create or enable a VM with an SMI?
VM Contributor role assignment
What is the command to enable an SMI during creation of VM?
az vm create –resource-group myRG –name myVm –image win2016datacenter –generate-ssh-keys –assign-identity - –role contributor –scope mySub –admin-user username –admin-password pward
What is the command to enable SMI on an existing VM?
az vm identity assign -g myRG -n myVM
What roles are needed to assign a UMI to a VM during its creation?
VM contributor and Managed Identity Operator
Command to create UMI?
az identity create -g myRG -n MyUMI
Command to assign UMI to VM?
az vm create –resource-group myRG –name myVm –image win2016datacenter –generate-ssh-keys –assign-identity MyUMI - –role contributor –scope mySub –admin-user username –admin-password pward
Command to assign UMI to existing UMI?
az vm identity assign -g myRG -n myVM –identities MyUMI
What is DefaultAzureCredentials?
- Supported by Azure Identity Library
- Ayto attempts to auth via multiple mechanisms
- credential type can be used in dev env using your own credentials, it can also be used in your prod env using a managed ID with no code changes between envs
What is the order of auth methods used by DefaultAzureCredentials?
- Env vars
- Managed ID
- Visual Studio (if dev is authenticated via VS)
- Azure CLI (using az login command)
- Azure PowerShell
- Interactive Browser
.NET Command to add the Azure identity SDK and code example of initialisation?
- dotnet add package Azure.Identity
- var client = new BlobClient(new Uri(<BLOB_URI>), new DefaultAzureCredential());</BLOB_URI>
What options can we specify for default credentials?
- var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = <user_assigned_client_id> });</user_assigned_client_id>
- new BlobClient(new Uri<BLOB_URI>), credential)</BLOB_URI>
What is ChainedTokenCredential?
- More advanced users of Azure Identity may want to customise credentials considered when authenticating
- ChainedTokenCredential enables users to combine multiple credential instances to define a customised chain
- E.g. var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential()); attempts to auth using managed ID and falls back to CLI if managed ID not available in current env
-
Explore Azure App Service25
-
Configure Web App Settings19
-
Scale Apps in Azure App Service17
-
Deployment Slots19
-
Explore Azure Functions23
-
Develop Azure Functions13
-
Explore Azure Blob Storage22
-
Manage Azure Blob Lifecycle14
-
Work with Azure Blob Storage11
-
Explore Cosmos DB33
-
Work with Azure Cosmos DB29
-
Manage Container Images in Azure Container Registry18
-
Run Container Images in Container Instances16
-
Implement Azure Container Apps30
-
Explore Microsoft Identity Platform20
-
Authentication By MSAL16
-
Implement User Auth17
-
Explore MS Graph20
-
Implement Azure Key Vault12
-
Implement Managed Identities19
-
Implement Azure App Configuration19
-
Explore API Management26
-
Secure APIs14
-
Explore Azure Event Grid30
-
Explore Azure Event Hubs15
-
Azure Message Queues20
-
Monitor App Performance15
