Keys are always needed to access services in Azure and beyond. Storing and managing keys presents many problems, for example rotating and disabling them. Keys often also allow blanket access to the service with no way to limit it. Sometimes there is only one key that needs to be shared by services, so you won't have any way to disable access from one individually. In this talk we will go through Managed Identities for Azure Resources, how they work, and how you can use them to use Azure services in a secure way without having to manage any keys yourself. We will go through a demo application which uses various Azure services through a managed identity, removing the need to use keys entirely. The source code will be available to the audience so they have samples that they can use to implement managed identities in their own applications.

1. Zero Credential Development
with Managed Identities for
Azure Resources
Joonas Westlin, Zure

2. Speaker Intro
• Joonas Westlin
• Developer / Architect @ Zure
• Global #1 on Stack Overflow for Azure
AD answers
@JoonasWestlin
joonasw.net

3. westl.in/questions
Send your questions in at any time or raise your hand!

6. Hold on, Key Vault didn’t
help anything!

7. Keys need to be
managed
Keys need to be
rotated
Keys need to be
revoked
Key issues

8. How could we do this
better?

9. Managed Identities for Azure Resources
Managed by
Azure
Automatically
rotated
Easily revoked
Zero
Credentials

11. Oh yeah this service is free

12. System-assigned? User-assigned?
• System-assigned
identities tied to a
resource like App Service
or a VM
• Deleted when the
resource is deleted
• User-assigned identities
can be assigned to
multiple resources
• A resource can have more
than one
• Independent lifecycle

13. Enabling System-assigned Identity

14. Enabling User-assigned Identity

15. Where can I use it? (2019)
Virtual
Machines
VM Scale Sets
Functions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services

16. Where can I use it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-
identities-status

17. What can I access with it? (2019)
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus

18. What can I access with it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-azure-
active-directory-support
Any API supporting AAD auth*

19. It’s Demo Time!
https://westl.in/midemo
https://westl.in/midemo2

20. HTTP Request
App Service instance

21. Advanced: Usage against custom APIs

22. Advanced: Usage against custom APIs

23. PowerShell to the rescue!

24. How about local
development?

25. https://www.nuget.org/packages/Azure.Identity/
Managed
Identity
Visual Studio
Azure CLI
Visual Studio
Code Azure
PowerShell
Interactive
browser
authentication
Shared token
cache

26. My suggestions
• DefaultAzureCredential = good starting point
• Covers most local scenarios + Azure
• Define tenant ID through options for the methods that support
it if needed
• ManagedIdentityCredential when running in Azure
• ChainedTokenCredential can be a good alternative for
DefaultAzureCredential (customize options and order)
• Use ClientCertificateCredential or
ClientSecretCredential locally with custom APIs

27. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• Use the Azure Identity library
• Local development can require some effort

28. Links
• https://westl.in/slides
• https://docs.microsoft.com/en-us/azure/active-
directory/managed-identities-azure-resources/overview
• https://github.com/juunas11/managedidentity-filesharing
• https://github.com/juunas11/Joonasw.ManagedIdentityD
emos