Managed identities for Azure resources allow Azure services and resources to access other resources without requiring credentials to be configured in code or passed around. This improves security by removing secrets from code and automatically managing credentials. Key benefits include credentials being managed by Azure, automatic rotation of credentials, and easy revocation of access. The service is free and supports both system-assigned identities tied to a specific resource and user-assigned identities that can be used across multiple resources.
12. System-assigned? User-assigned?
• System-assigned
identities tied to a
resource like App Service
or a VM
• Deleted when the
resource is deleted
• User-assigned identities
can be assigned to
multiple resources
• A resource can have more
than one
• Independent lifecycle
16. Where can I use it? (2019)
Virtual
Machines
VM Scale Sets
Functions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services
17. Where can I use it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-
identities-status
18. What can I access with it? (2019)
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus
19. What can I access with it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-azure-
active-directory-support
Any API supporting AAD auth*
27. My suggestions
• Use DefaultAzureCredential
• Covers most local scenarios + Azure
• Tries different methods until one succeeds
• Define tenant ID through options for the methods that support
it if needed
• Use ManagedIdentityCredential if only that is needed
• Use ClientCertificateCredential or
ClientSecretCredential locally with custom APIs
28. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• .NET apps should use the Azure.Identity library
• Local development can require some effort
On App Service the endpoint is on localhost.
Tokens are temporary but with 24 hour expiry.
The endpoint has caching but do not rely on it, always cache in-memory.
The library exists for at least .NET, Javascript, Python, Java and Go