0
0
Azurecloud~5 mins

Managed identities concept in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes cloud apps need to access other cloud services securely without using passwords. Managed identities let apps get special IDs automatically to prove who they are, so they can access resources safely without you managing secrets.
When you want an Azure virtual machine to access a storage account without storing keys.
When a web app needs to read from a database securely without embedding credentials.
When automating scripts that call Azure services and you want to avoid manual secret management.
When you want to improve security by removing passwords from your code or configuration.
When you want Azure services to authenticate to each other easily and safely.
Commands
This command enables a managed identity for the virtual machine named example-vm in the example-rg resource group. It creates an identity that the VM can use to access other Azure services securely.
Terminal
az vm identity assign --resource-group example-rg --name example-vm
Expected OutputExpected
{ "principalId": "12345678-1234-1234-1234-123456789abc", "tenantId": "87654321-4321-4321-4321-cba987654321", "type": "SystemAssigned" }
--resource-group - Specifies the resource group where the VM exists
--name - Specifies the name of the VM to assign the identity
This command gives the VM's managed identity permission to read from the examplestorage storage account by assigning the Reader role at the storage account scope.
Terminal
az role assignment create --assignee 12345678-1234-1234-1234-123456789abc --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Storage/storageAccounts/examplestorage
Expected OutputExpected
{ "canDelegate": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/abcdef12-3456-7890-abcd-ef1234567890", "name": "abcdef12-3456-7890-abcd-ef1234567890", "principalId": "12345678-1234-1234-1234-123456789abc", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Storage/storageAccounts/examplestorage", "type": "Microsoft.Authorization/roleAssignments" }
--assignee - Specifies the managed identity's principal ID to assign the role
--role - Specifies the permission level to grant
--scope - Limits the permission to a specific resource
This command checks the managed identity details of the VM to confirm it is enabled and view its IDs.
Terminal
az vm show --resource-group example-rg --name example-vm --query identity
Expected OutputExpected
{ "principalId": "12345678-1234-1234-1234-123456789abc", "tenantId": "87654321-4321-4321-4321-cba987654321", "type": "SystemAssigned" }
--resource-group - Specifies the VM's resource group
--name - Specifies the VM name
--query - Filters output to show only identity information
Key Concept

If you remember nothing else from this pattern, remember: managed identities let Azure resources prove who they are securely without you handling passwords.

Common Mistakes
Trying to use managed identity without assigning a role to it.
The identity exists but has no permissions, so access to resources is denied.
Always assign the needed role to the managed identity for the target resource.
Using the VM name instead of the principal ID when assigning roles.
Role assignments require the identity's principal ID, not the VM name.
Retrieve the principal ID from the VM's identity details and use it in role assignments.
Not enabling managed identity on the resource before trying to use it.
Without enabling, the resource has no identity and cannot authenticate.
Run the command to assign a managed identity before using it.
Summary
Enable a managed identity on an Azure resource like a virtual machine.
Assign proper roles to the managed identity to grant access to other Azure services.
Verify the managed identity is enabled and has the correct permissions.