Tutorial / Cram Notes
There are two types of managed identities:
- System-assigned managed identities: These are created automatically for an Azure service instance. When the service instance is deleted, Azure automatically cleans up the credentials and the identity in Azure Active Directory (AD).
- User-assigned managed identities: These are created as standalone Azure AD objects, and they can be assigned to one or more Azure service instances. The lifespan of a user-assigned managed identity is independent of the services using it.
Both types of identities are used to securely access other Azure resources that support Azure AD authentication without the need to insert credentials into your code.
Creating System-Assigned Managed Identities
- Navigate to the Azure portal and enter the service instance for which you want to enable a managed identity.
- In the service instance’s menu, select “Identity”.
- In the “System-assigned” tab, flip the switch to “On” and click “Save”.
- Azure will then create an identity in the Azure AD tenant that’s associated with the subscription and assign it to the instance.
The identity is granted a default set of permissions, typically with minimal access, and further permissions can be assigned as needed.
Creating User-Assigned Managed Identities
- In the Azure portal, search for “Managed Identities” and select “User-assigned managed identities”.
- Click “Add”, give it a name and necessary details, and then click “Create”.
- This creates the managed identity, but it doesn’t automatically assign it to any services. The next step is to associate it with an Azure service instance:
- Visit the Azure service instance you want to assign the identity to.
- In the service instance, look for the “Identity” option.
- Navigate to the “User-assigned” tab and click “Add”.
- Select the user-assigned managed identity you created earlier and save the configuration.
Configuring Managed Identities Access to Resources
- Navigate to the resource you want the managed identity to access, such as an Azure Key Vault.
- Access the “Access control (IAM)” section of the resource.
- Add a new role assignment and select the appropriate role for the managed identity. For example, “Key Vault Reader” allows it to only read secrets keys or certificates.
- Search for the name of the managed identity you’ve created and select it.
- Save the new role assignment.
Best Practices with Managed Identities
- Least privilege: Always assign the least amount of access necessary for the identity to perform its functions.
- Resource segregation: Consider using user-assigned managed identities when working with multiple separate resources for segregation of duties, management simplicity, and for scaling purposes.
- Auditing and monitoring: Integrate Azure Monitor and Azure Activity Log alerts to keep track of how and when managed identities are being used.
Comparison of System-Assigned vs User-Assigned Managed Identities
| System-Assigned Managed Identity | User-Assigned Managed Identity |
|---|---|
| Tightly coupled with an Azure service instance | Can be associated with multiple Azure service instances |
| Lifecycle is managed by Azure | You manage the lifecycle independently |
| Automatically removed when the service instance is deleted | Must be explicitly deleted when it is no longer required |
| Simpler to manage for single service scenarios | Better for complex applications and shared across multiple resources |
| Automatic role assignments in some Azure services | Manual role assignments needed |
Conclusion
Understanding how to create and configure both system-assigned and user-assigned managed identities is critical for securely managing access to Azure resources, and it is a key component of the SC-300 exam’s domains on identity and access management with Azure AD. Practical knowledge of managed identities will not only help in passing the exam but is also invaluable in professional scenarios to streamline development processes and improve security posture.
Practice Test with Explanation
True/False: Managed identities can be used for Azure resources to authenticate to any service that supports Azure AD authentication without needing credentials stored in the code.
- True
Answer: True
Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication, eliminating the need for credentials in the code.
Which of the following statements is true about system-assigned managed identities?
- A) They have a lifecycle independent of the Azure resource.
- B) They are deleted when the Azure resource is deleted.
- C) They can be shared across multiple Azure resources.
- D) They must be manually created and assigned to the Azure resource.
Answer: B)
System-assigned managed identities are directly tied to the lifecycle of the Azure resource they are enabled on and are deleted when that resource is deleted.
What is one of the primary benefits of using managed identities in Azure?
- A) Increased cost of Azure resources
- B) Elimination of the need to manage credentials
- C) Reduced performance
- D) Increased complexity in managing access
Answer: B)
Managed identities eliminate the need to manage credentials, as the authentication is handled by Azure AD.
True/False: User-assigned managed identities can be deleted independently of any Azure resource.
- True
Answer: True
User-assigned managed identities are managed independently and can exist independently of any Azure resource.
Which Azure service does NOT support the use of managed identities?
- A) Azure Virtual Machines
- B) Azure Functions
- C) Azure Blob Storage
- D) Azure Logic Apps
Answer: C)
Azure Blob Storage does not support managed identities for authentication. Managed identities are designed for services that can authenticate with Azure AD.
Managed identities can be used to obtain tokens for which of the following scenarios?
- A) Authenticating to Azure Active Directory (Azure AD)
- B) Authenticating to Azure SQL Database
- C) Authenticating to Azure Key Vault
- D) All of the above
Answer: D)
Managed identities can obtain tokens to authenticate to Azure AD, Azure SQL Database, Azure Key Vault, and other Azure services that support Azure AD authentication.
True/False: User-assigned managed identities can be used by multiple Azure resources simultaneously.
- True
Answer: True
User-assigned managed identities can be associated with multiple Azure resources at the same time, allowing reusable access management.
What PowerShell cmdlet is used to assign a user-assigned managed identity to an Azure Virtual Machine?
- A) Set-AzureRmVM
- B) Add-AzVMNetworkInterface
- C) Assign-AzUserAssignedIdentity
- D) New-AzRoleAssignment
Answer: C)
Assign-AzUserAssignedIdentity cmdlet is used to assign a user-assigned managed identity to an Azure VM.
True/False: A managed identity can be used to grant an Azure resource access to resources in subscriptions other than the one it’s hosted in.
- True
Answer: True
Managed identities can be used to grant access to resources across different subscriptions, as long as permissions are configured correctly.
What role must be assigned to a managed identity to grant read access to secrets in an Azure Key Vault?
- A) Owner
- B) Contributor
- C) Key Vault Reader
- D) Key Vault Secrets User
Answer: D)
The Key Vault Secrets User role grants a managed identity the necessary permissions to read secrets from the Azure Key Vault.
True/False: Only system-assigned identities can be used with Azure App Service and Azure Functions.
- False
Answer: False
Both system-assigned and user-assigned managed identities can be used with Azure App Service and Azure Functions.
When you create a new system-assigned managed identity, an identity is created in which of the following?
- A) Azure Active Directory (Azure AD)
- B) Azure Service Fabric
- C) Azure Storage Account
- D) Azure Traffic Manager
Answer: A)
When a system-assigned managed identity is created, a new identity object is automatically created in Azure Active Directory (Azure AD).
Interview Questions
What is a managed identity in Azure?
A managed identity in Azure is a service that provides an automatically managed identity for use with Azure resources.
How is a managed identity different from a regular identity?
A managed identity is a service-managed identity that is automatically managed by Azure, whereas a regular identity must be created and managed manually.
What are the benefits of using a managed identity?
The benefits of using a managed identity include improved security, reduced management overhead, and easier integration with other Azure services.
What types of Azure resources can use managed identities?
Managed identities can be used by various Azure resources, such as virtual machines, Azure Functions, and Azure Kubernetes Service (AKS) clusters.
How can you create a managed identity for an Azure resource?
You can create a managed identity for an Azure resource by enabling the Managed Identity feature for the resource in the Azure portal or using Azure Resource Manager templates.
How can you grant permissions to a managed identity?
You can grant permissions to a managed identity by assigning the appropriate roles and/or access policies to the resource that the managed identity is associated with.
Can a managed identity be used to authenticate with external resources?
Yes, a managed identity can be used to authenticate with external resources by providing the identity with the appropriate credentials.
How is a managed identity authenticated?
A managed identity is authenticated using a unique security principal that is automatically created and managed by Azure.
Can multiple Azure resources share a single managed identity?
Yes, multiple Azure resources can share a single managed identity, which can help to simplify management and reduce overhead.
How can you determine if a resource has a managed identity enabled?
You can determine if a resource has a managed identity enabled by checking the resource’s properties in the Azure portal or using Azure Resource Manager APIs.
Can a managed identity be used to authenticate with Azure AD?
Yes, a managed identity can be used to authenticate with Azure AD, which can help to simplify authentication and improve security.
How can you configure a managed identity to access a specific Azure resource?
You can configure a managed identity to access a specific Azure resource by assigning the appropriate permissions to the identity and configuring the resource to accept requests from the identity.
Can you disable a managed identity for an Azure resource?
Yes, you can disable a managed identity for an Azure resource by disabling the Managed Identity feature for the resource in the Azure portal or using Azure Resource Manager APIs.
Can a managed identity be used with resources in different Azure subscriptions?
Yes, a managed identity can be used with resources in different Azure subscriptions, provided that the appropriate permissions and access policies are configured.
How can you monitor the usage of a managed identity?
You can monitor the usage of a managed identity by reviewing the Azure Activity Log and using Azure Monitor to track the performance and health of the identity.
Great post on managed identities! Really helped me grasp the basics for the SC-300 exam.
Can someone explain the difference between system-assigned and user-assigned managed identities?
Thanks for the information. I was struggling with this concept!
Can managed identities be used with on-premises resources?
Does configuring managed identities differ significantly between Azure services?
I couldn’t get the managed identity to work with my Azure Function. Any tips?
Managed identities are a game changer for secure application secrets.
I found the section on role assignments with managed identities particularly useful.