Azure · Entra ID · Managed Identity · Segurança

What is Azure Managed Identity?

Password and credential management has always been a challenge for developers, especially for service-to-service communication. Although it is possible to use Azure Key Vault to securely store such information, services need a way to access it.

With Azure Managed Identity you can eliminate the need for developers to manage passwords and credentials, keeping communication secure between services.

But what is Azure Managed Identity?

What is Azure Managed Identity?

A Managed Identity is nothing more than a special service principal that is created and managed automatically in the Microsoft Entra ID, where it obtains tokens so that resources that support Microsoft Entra authentication can establish communication with each other without worrying about credentials.

Currently, there are two types of Managed Identity, and here are some differences between them

  • System Assigned

    • Linked to the resource lifecycle, i.e., if the resource is deleted, the Managed Identity is automatically deleted
    • By design, only the Azure resource can use this identity to request tokens from Microsoft Entra ID
  • User Assigned

    • Managed separately from the resources that use it, i.e., even if the resource is deleted, the Managed Identity will not be deleted
    • Can be used by multiple resources

In either type you authorize the managed identity to have access to one or more services

Explaining usage

Regardless of the Managed Identity type you choose, you will always have a source resource and a destination resource, where:

  • Source

    • The resource where the Managed Identity will be created/assigned, whether System Assigned or User Assigned
    • The Managed Identity will request a token from Entra ID to establish communication with the “destination”
    • Entra ID will issue the token and, then, the source resource will authenticate with that token to the “destination”
  • Destination

    • The resource where the source will connect
    • The Managed Identity of the source needs to have access granted via Role Based Access Control
      • Access to SQL Database is granted directly in the database by creating a login

In the image below, we can see

  1. The source (Web App with Managed Identity) that will request the token from Entra ID
  2. Entra ID issues the token to the Managed Identity
  3. Managed Identity will use the token to authenticate to the Azure SQL Database

Which services in Azure support Managed Identity?

A comprehensive list and, according to Microsoft, “this list does not include all articles talking about managed identities […] The provider namespace information is available in the article titled Azure service providers

  • API Management
  • Application Gateway
  • Azure App Configuration
  • Azure App Services
  • Azure Arc enabled Kubernetes
  • Azure Arc enabled servers
  • Azure Automanage
  • Azure Automation
  • Azure Batch
  • Azure Blueprints
  • Azure Cache for Redis
  • Azure Communications Gateway
  • Azure Communication Services
  • Azure Container Apps
  • Azure Container Instance
  • Azure Container Registry
  • Azure AI services
  • Azure Data Box
  • Azure Data Explorer
  • Azure Data Factory
  • Azure Data Lake Storage Gen1
  • Azure Data Share
  • Azure DevTest Labs
  • Azure Digital Twins
  • Azure Event Grid
  • Azure Event Hubs
  • Azure Image Builder
  • Azure Import/Export
  • Azure IoT Hub
  • Azure Kubernetes Service (AKS)
  • Azure Load Testing
  • Azure Logic Apps
  • Azure Log Analytics cluster
  • Azure Machine Learning Services
  • Azure Managed Disk
  • Azure Media services
  • Azure Monitor
  • Azure Policy
  • Microsoft Purview
  • Azure Resource Mover
  • Azure Site Recovery
  • Azure Search
  • Azure Service Bus
  • Azure Service Fabric
  • Azure SignalR Service
  • Azure Spring Apps
  • Azure SQL
  • Azure SQL Managed Instance
  • Azure Stack Edge
  • Azure Static Web Apps
  • Azure Stream Analytics
  • Azure Synapse
  • Azure VM image builder
  • Azure Virtual Machine Scale Sets
  • Azure Virtual Machines
  • Azure Web PubSub Service

What operations can be performed with Managed Identities?

Regardless of the type of Managed Identity, you can:

  • Use Role Based Access Control to grant permissions
  • View the CRUD operations in the Azure activity logs
  • Show inbound activity in the Microsoft Entra ID logs

But there are some differences if you opt for System or User Assigned:

  • System Assigned

    • Enable or disable Managed Identities at the resource level
  • User Assigned

    • You can create, read, update, and delete Managed Identities

You can use Managed Identities by running Azure Resource Manager (ARM), Azure Portal, Azure CLI, PowerShell, and REST APIs.

AzureAzure ADEntra IDManaged IdentitySegurançaSystem AssignedUser Assgined
What is Azure Managed Identity? — Vinicius Deschamps