The document discusses the use of managed identities for Azure resources, highlighting their ability to simplify credential management by automating key rotation, revocation, and management, which is cost-free. It details system-assigned and user-assigned identities, their lifecycle, and various applications where managed identities can be utilized securely. Recommendations for development with managed identities, including tools and methods for accessing services that support Azure AD authentication, are also provided.

1. Zero Credential Development
with Managed Identities for
Azure Resources
Joonas Westlin, Zure Ltd

2. Speaker Intro
• Joonas Westlin
• Developer / Architect @ Zure
• Global #1 on Stack Overflow for Azure
AD answers
@JoonasWestlin
joonasw.net

6. Hold on, Key Vault didn’t
help anything!

7. Keys need to be
managed
Keys need to be
rotated
Keys need to be
revoked
Key issues

8. How could we do this
better?

9. Managed Identities for Azure Resources
Managed by
Azure
Automatically
rotated
Easily revoked
Zero
Credentials

11. Oh yeah this service is free

12. System-assigned? User-assigned?
• System-assigned identities
tied to a resource like App
Service or a VM
• Deleted when the resource
is deleted
• User-assigned identities
can be assigned to multiple
resources
• A resource can have more
than one
• Independent lifecycle

13. Enabling System-assigned Identity

14. Enabling User-assigned Identity

15. Where can I use it?
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-
managed-identities
Virtual
Machines
VM Scale SetsFunctions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services

16. What can I access with it?
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-
managed-identities
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus

17. HTTP Request
App Service instance

18. It’s Demo Time!
https://westl.in/midemo

19. Advanced: Usage against custom APIs

20. Advanced: Usage against custom APIs

21. PowerShell to the rescue!

22. How about local
development?

24. https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/
Managed
Identity
Visual Studio AZ CLI
Windows
Authentication

25. Supported methods
• Managed Identity
• Visual Studio
• AZ CLI
• Integrated Windows Authentication
• Client id + secret
• Client id + certificate (can be local or in Key Vault)
• Advanced options unlocked by using connection string
https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication

26. My suggestions
• Use Visual Studio / AZ CLI / IWA for cases where it works
• RunAs=Developer; DeveloperTool=VisualStudio
• RunAs=Developer; DeveloperTool=AzureCli
• Use client id + secret / certificate where it does not
• RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={Client
Secret}
• RunAs=App;AppId={AppId};TenantId={TenantId};CertificateThum
bprint={Thumbprint};CertificateStoreLocation={LocalMachine or
CurrentUser}

27. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• .NET apps should use the AppAuthentication library
• Local development requires some effort

28. Links
• https://docs.microsoft.com/en-us/azure/active-
directory/managed-identities-azure-resources/overview
• https://github.com/juunas11/managedidentity-
filesharing
• https://github.com/juunas11/Joonasw.ManagedIdentityD
emos

29. @JoonasWestlin joonasw.net