Managed Identities
A managed identity is an Entra ID identity automatically managed by Azure. It allows resources such as App Services, Functions, VMs, and Container Apps to authenticate to other Azure services without storing credentials in code or configuration.
Identity Types
- System-assigned — Created and tied to a single Azure resource. Automatically deleted when the resource is deleted. Suitable for workloads where a 1:1 relationship between resource and identity is appropriate
- User-assigned — Created as a standalone Azure resource and assigned to one or more resources. Persists independently of the resources it is assigned to. Preferred when multiple resources share the same permissions, or when the identity lifecycle must be managed separately
How It Works
- A managed identity is assigned to an Azure resource (e.g. an App Service)
- Azure issues the resource a token via the Instance Metadata Service (IMDS) endpoint
- The resource uses that token to authenticate to target services (e.g. Key Vault, Storage, SQL)
- Access is controlled by assigning Azure RBAC roles (or service-specific permissions) to the managed identity
No secrets, passwords, or certificates need to be stored or rotated by the application.
Common Use Cases
- Reading secrets or keys from Azure Key Vault
- Reading and writing blobs to Azure Storage
- Connecting to Azure SQL without a password (using
Authentication=Active Directory Defaultin the connection string) - Calling other Azure REST APIs or services that support Entra ID authentication
Common Built-in RBAC Roles
Key Vault
| Role | Role Definition ID | Scope | Description |
|---|---|---|---|
Key Vault Administrator | 00482a5a-887f-4fb3-b363-3b7fe8e74483 | All | Full access to all object types and vault configuration |
Key Vault Reader | 21090545-7ca7-4776-b22c-e363652d74d2 | All | Read metadata across all object types; cannot read secret values or key material |
Key Vault Secrets User | 4633458b-17de-408a-b874-0445c86b69e6 | Secrets | Read secret values |
Key Vault Secrets Officer | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Secrets | Full secrets management (create, update, delete) |
Key Vault Crypto User | 12338af0-0e69-4776-bea7-57ae8d297424 | Keys | Perform cryptographic operations (encrypt, decrypt, sign, verify) |
Key Vault Crypto Officer | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Keys | Full key management (create, update, delete, rotate) |
Key Vault Crypto Service Encryption User | e147488a-f6f5-4113-8e2d-b22465e65bf6 | Keys | Wrap/unwrap keys; used by Azure services for customer-managed key (CMK) scenarios |
Key Vault Certificates Officer | a4417e6f-fecd-4de8-b567-7b0420556985 | Certificates | Full certificate management (create, update, delete, renew) |
Storage
| Role | Role Definition ID | Scope | Description |
|---|---|---|---|
Storage Account Contributor | 17d1049b-9a84-46fb-8f53-869881c3d3ab | Account | Manage storage account configuration; no access to data plane |
Storage Blob Data Owner | b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Blobs | Full access to blob containers and data, including POSIX ACL management |
Storage Blob Data Contributor | ba92f5b4-2d11-453d-a403-e96b0029c9fe | Blobs | Read, write, and delete blob containers and data |
Storage Blob Data Reader | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Blobs | Read and list blob containers and data |
Storage Blob Delegator | db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Blobs | Obtain a user delegation key for generating SAS tokens scoped to Blob storage |
Storage Queue Data Contributor | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Queues | Read, write, and delete queues and queue messages |
Storage Queue Data Reader | 19e7f393-937e-4f77-808e-94535e297925 | Queues | Read and list queues and queue messages |
Storage Queue Data Message Sender | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Queues | Post messages to a storage queue |
Storage Queue Data Message Processor | 8a0f0c08-91a1-4084-bc3d-661d67233fed | Queues | Peek, receive, and delete messages from a storage queue |
Storage Table Data Contributor | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | Tables | Read, write, and delete tables and table entities |
Storage Table Data Reader | 76199698-9eea-4c19-bc75-cec21354c6b6 | Tables | Read and list tables and table entities |
Storage File Data SMB Share Contributor | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Files | Read, write, and delete files and directories over SMB |
Storage File Data SMB Share Reader | aba4ae5f-2193-4029-9191-0cb91df5e314 | Files | Read and list files and directories over SMB |
Storage File Data SMB Share Elevated Contributor | a7264617-510b-434b-a828-9731dc254ea7 | Files | Read, write, delete, and modify NTFS ACLs on files and directories over SMB |
Usage
PowerShell
# Enable system-assigned identity on an App Service
Set-AzWebApp -ResourceGroupName "rg-myapp-prod-uks-01" -Name "app-myapp-prod-uks-01" -AssignIdentity $true
# Create a user-assigned managed identity
New-AzUserAssignedIdentity -ResourceGroupName "rg-myapp-prod-uks-01" -Name "id-myapp-prod-uks-01" -Location "uksouth"
# Assign a user-assigned identity to an App Service
$identity = Get-AzUserAssignedIdentity -ResourceGroupName "rg-myapp-prod-uks-01" -Name "id-myapp-prod-uks-01"
$app = Get-AzWebApp -ResourceGroupName "rg-myapp-prod-uks-01" -Name "app-myapp-prod-uks-01"
Update-AzWebApp -ResourceGroupName "rg-myapp-prod-uks-01" -Name "app-myapp-prod-uks-01" `
-IdentityType "UserAssigned" `
-IdentityId $identity.Id
# Grant the identity access to Key Vault secrets
New-AzRoleAssignment `
-ObjectId $identity.PrincipalId `
-RoleDefinitionName "Key Vault Secrets User" `
-Scope "/subscriptions/<sub-id>/resourceGroups/rg-myapp-prod-uks-01/providers/Microsoft.KeyVault/vaults/kv-myapp-prod-uks-01"Adding to Azure SQL
Managed identities authenticate to Azure SQL using Entra ID. The identity must first be added as a database user.
-- Create the user from the external provider (Entra ID)
CREATE USER [id-myapp-prod-uks-01] FROM EXTERNAL PROVIDER
-- Grant read/write access
ALTER ROLE db_datareader ADD MEMBER [id-myapp-prod-uks-01]
ALTER ROLE db_datawriter ADD MEMBER [id-myapp-prod-uks-01]The SQL server itself also needs an Entra ID admin set, and the connection string should use Authentication=Active Directory Default (or Active Directory Managed Identity for explicit identity selection).
System-assigned vs User-assigned
- Use system-assigned for simple, single-resource scenarios where you want automatic lifecycle management
- Use user-assigned when multiple resources need the same permissions, when you need to pre-assign roles before deploying the resource, or when identity continuity across resource redeployments is required
- Prefer user-assigned in most production scenarios for consistency and reusability
Best Practices
- Always prefer managed identities over service principals with client secrets for Azure-hosted workloads
- Apply the principle of least privilege—assign only the roles the identity needs, scoped as narrowly as possible (resource scope over resource group scope over subscription scope)
- Use user-assigned identities for production workloads to decouple identity lifecycle from resource lifecycle
- Avoid giving managed identities Owner or Contributor at broad scopes unless strictly necessary
- Regularly audit role assignments on managed identities using Azure Policy or Access Reviews
- Follow the naming convention:
id-<app>-<environment>-<location>-<instance>(e.g.id-myapp-prod-uks-01)
Last updated on