Getting Started with Azure Managed Service Identity

Author

Reads 1K

Security Logo
Credit: pexels.com, Security Logo

To get started with Azure Managed Service Identity, you'll need to create an MSI instance for your Azure resource. This can be done through the Azure portal, Azure CLI, or Azure PowerShell.

The MSI instance will have a unique principal ID that can be used to authenticate to Azure services. This principal ID is the key to leveraging the benefits of MSI.

With MSI enabled, your Azure resource can authenticate to Azure services without needing a certificate or a credential file. This is a significant advantage over traditional authentication methods.

Azure resources that support MSI include Azure App Service, Azure Functions, and Azure Virtual Machines. You can also enable MSI for custom resources, such as Azure Kubernetes Service (AKS) clusters.

Azure Managed Service Identity Basics

A Service Principal is essentially an application account, often referred to as a technical user.

In Azure, a Service Principal is a unique identifier generated for each application and service principal during creation, also known as a Client ID or Application ID.

Credit: youtube.com, Azure Managed Identities - explained in plain English in 5 mins with a step by step demo

Here's a quick rundown of the key terms:

  • Service Principal: an application account (technical user)
  • Client ID: a globally unique identifier generated for each application and service principal during creation
  • Application ID: synonym for Client ID

Note that some documentation still uses the term Managed Service Identity (MSI), but it's now referred to as Managed Identities.

Terminology

To navigate the world of Azure Managed Service Identity, it's essential to understand the terminology.

Service Principal is an application account, also known as a technical user.

You'll often hear Identity used as a synonym for Service Principal.

Each application and service principal has a unique identifier called Client ID.

Application ID is simply another name for Client ID.

Managed Service Identity (MSI) is actually an old name for what's now called Managed Identities.

Works in Detail

In classic approach, getting a token required applications to send a request to login.onmicrosoft.com OAuth endpoint, which involves supplying identity credentials and the URL of the service the token will be used for.

This process is much simpler with Managed Identity.

Managed Identity works by leveraging the principle of always authenticating applications, but the usage and implementation differ across different Azure services, such as App Service.

With App Service, Managed Identity eliminates the need to supply identity credentials and service URLs, making the process more streamlined.

Setting Up Azure MSI

Credit: youtube.com, Managed Identities with Azure AD (Active Directory) Tutorial

To set up Azure Managed Service Identity (MSI), you can use the Azure portal, Azure CLI, Azure PowerShell, or Azure Resource Manager template. You can also create a managed identity in the Azure portal by going to your Web App (App Service), searching for Identity, and selecting On.

You can create a managed identity using Azure CLI, Azure PowerShell, or Azure Resource Manager template. Azure CLI is a command-line tool that allows you to create and manage Azure resources. Azure PowerShell is a set of cmdlets that allow you to create and manage Azure resources. Azure Resource Manager template is a JSON file that defines the resources and their dependencies.

To create a managed identity, you can use the following methods:

  1. Go to Web App (App Service)
  2. Search for Identity in the search window on blade list panel
  3. Select On option on the blade window
  4. Click Save to make the change

You can also create a managed identity using Azure CLI, Azure PowerShell, or Azure Resource Manager template.

Setting Up Example

To set up an Azure Managed Service Identity (MSI), you can use either the Azure portal, Azure CLI, Azure PowerShell, or Azure Resource Manager template.

Credit: youtube.com, Getting Started with Azure MSI

You can create an MSI in App Service by going to your Web App, searching for Identity in the search window, and selecting the "On" option. Click Save to make the change.

The Azure CLI, Azure PowerShell, and Azure Resource Manager template are also viable options for setting up an MSI.

To use the Azure CLI, you can run a command to create an MSI in App Service. The exact command will depend on your specific environment.

If you prefer to use Azure PowerShell, you can use a cmdlet to create an MSI in App Service. The cmdlet will allow you to specify the necessary parameters for your environment.

Alternatively, you can use an Azure Resource Manager template to create an MSI in App Service. This template will provide you with a pre-configured solution for setting up an MSI.

Here are the prerequisites for setting up an MSI in API Management:

  • An API Management service instance configured with a system-assigned managed identity.
  • An Azure Key Vault instance in the same resource group, hosting a certificate that will be used as a custom domain certificate in API Management.

To update the access policies of the Azure Key Vault instance, you can allow the API Management instance to obtain secrets from it.

To update the API Management instance, you can set a custom domain name through the certificate from the Key Vault instance.

You can use the system-assigned identity to authenticate to a backend service through the authentication-managed-identity policy.

Configure Identities

Credit: youtube.com, 21. Terraform SE03 | Azure Managed Service Authenication | Azure MSI authentication

To create a managed identity, you can use the Azure portal or Azure CLI. In the Azure portal, you can create a system-assigned identity or a user-assigned identity. A system-assigned identity is tied to your service and is deleted if your service is deleted.

You can also create a user-assigned identity as a standalone Azure resource and assign it to one or more instances of an Azure service. This type of identity is managed separately from the resources that use it.

To assign a user-assigned identity to an API Management instance, you can use the Azure portal or Azure PowerShell. In the Azure portal, you can select the User assigned tab, click Add, and search for the identity you created earlier. In Azure PowerShell, you can use the New-AzUserAssignedIdentity cmdlet to create the identity and then assign it to the API Management instance.

There are two types of identities you can grant to an API Management instance: system-assigned and user-assigned. A system-assigned identity is tied to your service and is deleted if your service is deleted, while a user-assigned identity is a standalone Azure resource that can be assigned to your service.

Credit: youtube.com, Authenticate Azure Function with Azure Web App Using Managed Service Identity

Here's a summary of the differences between system-assigned and user-assigned identities:

To create a managed identity, you'll need to create an API Management instance and create a user-assigned identity. Then, you can enable the feature and assign the identity to the instance.

Types of Azure MSI

There are two types of Azure Managed Service Identity (MSI): System Assigned and User Assigned.

System Assigned means that the lifecycle of the managed identity is automatically managed by Azure AD. User Assigned allows users to first create an Azure AD application/service principal and assign it as a managed identity. This has advantages in terms of reuse of applications and their permissions if many services in Azure should share the account and its permissions.

You can associate an API Management instance with up to 10 user-assigned managed identities. However, if Key Vault firewall is enabled, you can't use a user-assigned identity for access from API Management, and you can use the system-assigned identity instead.

Here's a comparison of the two types:

User-Assigned

Credit: youtube.com, System Assigned vs User Assigned Managed Identity Explained

A user-assigned managed identity is a standalone Azure resource that can be assigned to an API Management instance. This type of identity has a few advantages, including the reuse of applications and their permissions if many services in Azure should share the account and its permissions.

You can create a user-assigned managed identity by creating an API Management instance and then enabling the feature in the portal. To do this, you'll first create an API Management instance and create a user-assigned identity.

Here are the steps to create a user-assigned managed identity:

  • Create an API Management instance in the portal as you normally would.
  • Browse to the instance in the portal and select Managed identities in the left menu under Security.
  • On the User assigned tab, select Add.
  • Search for the identity that you created earlier and select it. Select Add.

Alternatively, you can create a user-assigned managed identity using Azure PowerShell. To do this, you'll need to install the Azure PowerShell and then run Connect-AzAccount to create a connection with Azure. Then, you can use the following code to create the instance:

  • Create a resource group using New-AzResourceGroup.
  • Create a user-assigned identity using New-AzUserAssignedIdentity.
  • Create an API Management Consumption Sku service using New-AzApiManagement.

You can also update an existing service to assign an identity to the service. To do this, you'll need to include the UserAssignedIdentity property in the resource definition.

Credit: youtube.com, AZ-204 Exam EP 22: Azure Managed Identities

Here are the additional properties that are added to the service when a user-assigned identity is assigned:

  • The principalId property is a unique identifier for the identity that's used for Microsoft Entra administration.
  • The clientId property is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls.

User-assigned managed identities can be used to establish trust between an API Management instance and Azure Key Vault. This trust can then be used to retrieve custom TLS/SSL certificates stored in Azure Key Vault. However, if Key Vault firewall is enabled on your key vault, you can't use a user-assigned identity for access from API Management. In this case, you can use the system-assigned identity instead.

Global

When you're working with Azure Managed Service Identity (MSI), understanding the different types of Azure regions is crucial.

Azure Global regions include all regions except for Azure Germany, Government, and China. This is a key distinction to keep in mind when deciding which services to use.

Azure Global regions offer a wide range of services, including Virtual Machines, Virtual Machine Scale Sets, and App Service. These services are available with system-assigned and user-assigned managed identities.

Here's a breakdown of the services available in Azure Global regions:

In Azure Global regions, Data Factory V2 and API Management are also available with system-assigned managed identities.

Security and Authentication

Credit: youtube.com, Microsoft Azure Managed Identity Deep Dive

Azure managed service identity provides a secure way to authenticate and authorize access to Azure resources. This is achieved through the use of managed identities, which can be system-assigned or user-assigned.

A system-assigned identity is automatically created and managed by Azure, whereas a user-assigned identity is created and managed by the user. You can use the system-assigned identity to authenticate to a backend service through the authentication-managed-identity policy.

To ensure secure authentication, only application-hosted services with managed identity enabled can generate tokens. This means that unauthorized applications cannot access your Azure resources.

Azure managed service identity also supports authentication to Azure DevOps resources using the Microsoft Entra ID token. However, there are some limitations to consider, such as the inability to display service principals in a list of Microsoft Entra ID group members.

Here are some key limitations to keep in mind when using service principals:

  • Service principals can't be organization owners or create organizations.
  • Service principals can't create tokens, like personal access tokens (PATs) or SSH Keys.
  • We don't support Azure DevOps OAuth for service principals.

By using Azure managed service identity, you can ensure secure and authorized access to your Azure resources.

Security Concerns

Credit: youtube.com, Risk-Based Authentication Explained

Security Concerns are a top priority when it comes to authentication. Only application hosted on a service with managed identity enabled will be able to generate tokens, making it secure.

This is a significant advantage because it prevents unauthorized applications from accessing sensitive information.

Token generation is a critical aspect of security, and this feature ensures that only authorized applications can access it.

This approach also reduces the risk of token theft or misuse, which can compromise the entire system.

In this way, managed identity enabled services provide an additional layer of protection against potential security threats.

Authenticate with Microsoft Entra ID Token

You can use the Microsoft Entra ID token to authenticate to Azure DevOps resources. The token is a JWT (JSON Web Token) with the defined roles, which can be used to access organization resources using the token as Bearer.

The Microsoft Entra ID token can be used to authenticate to Azure DevOps resources, including REST APIs and OAuth. However, there are some limitations to consider. For example, service principals can't be organization owners or create organizations, and they can't create tokens like personal access tokens (PATs) or SSH Keys.

Credit: youtube.com, Authentication fundamentals: The basics | Microsoft Entra ID

To request a token, you can use the following languages and samples, depending on your needs. For example, in C#, you can use the following code to acquire a token.

C# Example

To acquire an access token for a managed identity, you can follow the Microsoft Entra ID documentation. The returned access token is a JWT with the defined roles, which can be used to access organization resources using the token as Bearer.

Here is an example of how to use the Microsoft Entra ID token to authenticate to Azure DevOps resources:

Note that the Microsoft Entra ID token is a powerful tool for authenticating to Azure DevOps resources, but it's essential to understand the limitations and use cases to ensure secure and efficient authentication.

Frequently Asked Questions

What is the difference between Azure managed identity and service account?

Azure Managed Identity and Service Principal are both identity management tools, but Managed Identity automates login details, while Service Principal provides specific access and control for apps. Choose the right tool based on your app's needs for seamless authentication.

Victoria Kutch

Senior Copy Editor

Victoria Kutch is a seasoned copy editor with a keen eye for detail and a passion for precision. With a strong background in language and grammar, she has honed her skills in refining written content to convey a clear and compelling message. Victoria's expertise spans a wide range of topics, including digital marketing solutions, where she has helped numerous businesses craft engaging and informative articles that resonate with their target audiences.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.