Managed identities for Azure resources allow Azure services and resources to access other resources without requiring credentials to be configured in code or passed around. This improves security by removing secrets from code and automatically managing credentials. Key benefits include credentials being managed by Azure, automatic rotation of credentials, and easy revocation of access. The service is free and supports both system-assigned identities tied to a specific resource and user-assigned identities that can be used across multiple resources.

1. Zero Credential Development
with Managed Identities for
Azure Resources
Joonas Westlin, Zure

2. Speaker Intro
• Joonas Westlin
• Developer / Architect @ Zure
• Global #1 on Stack Overflow for Azure
AD answers
@JoonasWestlin
joonasw.net

3. westl.in/questions
Send your questions in at any time or raise your hand!

6. Hold on, Key Vault didn’t
help anything!

7. Keys need to be
managed
Keys need to be
rotated
Keys need to be
revoked
Key issues

8. How could we do this
better?

9. Managed Identities for Azure Resources
Managed by
Azure
Automatically
rotated
Easily revoked
Zero
Credentials

11. Oh yeah this service is free

12. System-assigned? User-assigned?
• System-assigned
identities tied to a
resource like App Service
or a VM
• Deleted when the
resource is deleted
• User-assigned identities
can be assigned to
multiple resources
• A resource can have more
than one
• Independent lifecycle

13. Enabling System-assigned Identity

14. Enabling User-assigned Identity

15. HTTP Request
App Service instance

16. Where can I use it? (2019)
Virtual
Machines
VM Scale Sets
Functions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services

17. Where can I use it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-
identities-status

18. What can I access with it? (2019)
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus

19. What can I access with it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-azure-
active-directory-support
Any API supporting AAD auth*

20. It’s Demo Time!
https://westl.in/midemo
https://westl.in/midemo2

21. Advanced: Usage against custom APIs

22. Advanced: Usage against custom APIs

23. PowerShell to the rescue!

24. How about local
development?

26. https://www.nuget.org/packages/Azure.Identity/
Managed
Identity
Visual Studio
Azure CLI
Visual Studio
Code Azure
PowerShell
Interactive
browser
authentication
Shared token
cache

27. My suggestions
• Use DefaultAzureCredential
• Covers most local scenarios + Azure
• Tries different methods until one succeeds
• Define tenant ID through options for the methods that support
it if needed
• Use ManagedIdentityCredential if only that is needed
• Use ClientCertificateCredential or
ClientSecretCredential locally with custom APIs

28. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• .NET apps should use the Azure.Identity library
• Local development can require some effort

29. Links
• https://docs.microsoft.com/en-us/azure/active-
directory/managed-identities-azure-resources/overview
• https://github.com/juunas11/managedidentity-
filesharing
• https://github.com/juunas11/Joonasw.ManagedIdentityD
emos