Azure MSI, or Managed Service Identity, is a feature that allows Azure resources to authenticate to other services without needing to store or manage credentials.
It's a game-changer for securing your Azure resources, and it's surprisingly easy to set up.
Azure MSI provides an identity for your Azure resources, which can be used to authenticate to other services, such as Azure Key Vault, Azure Storage, and more.
This identity is managed by Azure itself, so you don't need to worry about managing or rotating credentials.
Azure MSI Concepts
Azure managed identities use certificate-based authentication, which has an expiration of 90 days and is rolled after 45 days.
Each managed identity's credential is unique and can only be used with Azure resources. If system-assigned managed identity is enabled and no identity is specified in the request, Azure Instance Metadata Service (IMDS) defaults to the system-assigned managed identity.
If multiple user-assigned managed identities exist for a resource, you must specify a managed identity in the request, otherwise, your requests to IMDS will start failing with an error.
Here's a summary of how managed identities work with Azure resources:
How It Works
Managed identities in Azure are a type of service principal that can only be used with Azure resources.
Internally, managed identities are created as service principals of a special type, which are automatically removed when the identity is deleted.
A certificate is issued internally to the managed identity when it's created, either as a User-Assigned or System-Assigned Identity.
This certificate is used to request access tokens for services that support Microsoft Entra authentication.
Azure takes care of rolling the credentials used by the service instance, so you don't have to worry about managing them yourself.
Here's a comparison of System-Assigned and User-Assigned managed identities:
This shows that System-Assigned identities are tied to a specific resource, while User-Assigned identities can be used across multiple resources.
Types
There are two types of managed identities in Azure: system-assigned and user-assigned.
System-assigned managed identities are created as part of an Azure resource, such as a virtual machine or app service.
User-assigned managed identities, on the other hand, are created as a standalone Azure resource.
Here's a table summarizing the differences between the two types:
System-assigned managed identities are best suited for workloads contained within a single Azure resource, such as an application running on a single virtual machine.
Azure MSI Configuration
Azure MSI Configuration is a crucial step in leveraging the benefits of Managed Service Identity. You can enable MSI on Azure Function through the Azure Portal by selecting 'Identity' under 'Platform features' and turning it on for System Assigned.
There are two types of managed identities: System-assigned and User-assigned. System-assigned identities are linked to the App Service and will be deleted if the App Service is deleted, whereas User-assigned identities are standalone resources that can be assigned to multiple applications.
To enable MSI, you can use the Azure Portal, PowerShell, Azure Command-Line Interface (CLI), or other methods. For simplicity, we'll focus on enabling it through the Azure Portal. Once enabled, you can find the added identity for the Azure function under Enterprise Applications list in the AD directory.
Enabling the Service
You can turn on Managed Serviced Identity (MSI) for an Azure Function through the Azure Portal. Under 'Platform features' for an Azure Function, select 'Identity' and turn it on for System Assigned.
This will add the identity for the Azure function under Enterprise Applications list in the AD directory. Azure internally manages this identity.
There are two types of managed identities: System-assigned and User-assigned.
Here are the key differences between them:
You can enable Managed Service Identity (MSI) through the Azure Portal, PowerShell, Azure Command-Line Interface (CLI), or other methods. To keep things simple, we will enable it through the Azure Portal.
Enabling with AD Group
You can add a Service Principal to the AD group either through the portal or code.
To verify that the token retrieved using the AzureServiceTokenProvider has the associated claims, decode the token using jwt.io.
The token will show the roles and groups for the MSI service principal, just like in the example where both roles and groups were added.
This allows the Web API to use these claims from the token to determine what functionality needs to be available for the associated roles.
By enabling MSI, you can also use claims based on Groups, as described in a detailed post that explains how to do that.
This approach eliminates the need for a separate set of authentication keys to be shipped with your application, making it easier to build applications.
Azure supports MSI for a lot more resources, and similar techniques can be applied to discover more use cases for using Managed Services Identity (MSI).
Auto-Recreated on Directory Change
If you move a subscription to a different directory, you'll need to recreate managed identities manually. This process is a bit more involved than you might think.
To recreate system-assigned managed identities, you'll need to disable and re-enable them. This simple step will get the process started, but be aware that it requires a bit more effort.
For user-assigned managed identities, the process is a bit more complex. You'll need to delete the existing identity, recreate it, and then reattach it to the necessary resources, such as virtual machines.
Here's a brief summary of the steps:
- Disable and re-enable system-assigned managed identities
- Delete, recreate, and reattach user-assigned managed identities
Cross-Regional Compatibility
You can use user assigned managed identities in more than one Azure region.
While user assigned managed identities are created as regional resources, the associated service principal created in Microsoft Entra ID is available globally.
The service principal can be used from any Azure region, and its availability is dependent on the availability of Microsoft Entra ID.
If a region becomes unavailable, it only impacts control plane activities on the managed identity itself.
Azure MSI Security
The security boundary of managed identities for Azure resources is the resource to which it's attached.
This means that any code running on that resource can call the managed identities endpoint and request tokens.
The security boundary is similar for other resources that support managed identities, such as a virtual machine with managed identities enabled.
Security Boundary for Resources
The security boundary of managed identities for Azure resources is the resource to which it's attached. This means that for a virtual machine with managed identities enabled, the security boundary is the virtual machine itself.
Any code running on that VM can call the managed identities endpoint and request tokens. This is similar to working with other resources that support managed identities.
The security boundary is not the Azure subscription or the resource group, but rather the specific resource itself. This is an important consideration when using managed identities for Azure resources.
Here's a quick summary of the security boundary for different types of resources:
Function Role-Based Authorization
Function Role-Based Authorization can be achieved using similar approaches to User Authorization, which restricts endpoints on the API an Azure Function can call.
This is a typical scenario where we need to control access to certain resources, such as API endpoints, to ensure only authorized functions can access them.
To implement Role-Based Authorization, we can use the authentication setup between the Azure Function and Web API as a starting point.
By restricting endpoints, we can prevent unauthorized functions from accessing sensitive data or performing unauthorized actions.
Azure Function MSI (Managed Service Identity) can be used to provide authentication and authorization capabilities, making it easier to implement Role-Based Authorization.
This approach allows us to define roles for functions and assign permissions to those roles, controlling access to specific API endpoints.
Frequently Asked Questions
What is the difference between Azure managed identity and service principal?
Service Principal and Managed Identity serve different purposes in Azure identity management: Service Principal provides specific access control for apps, while Managed Identity automates login details for seamless integration
Sources
- https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq
- https://www.rahulpnath.com/blog/how-to-authenticate-azure-function-with-azure-web-app-using-managed-service-identity/
- https://blog.cellenza.com/en/cloud/how-to-secure-azure-sql-database-with-managed-identity-azure-ad-authentication/
- https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
- https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-managed-identities-work-vm
Featured Images: pexels.com