Keys are always needed to access services in Azure and beyond. Storing and managing keys presents many problems, for example rotating and disabling them. Keys often also allow blanket access to the service with no way to limit it. Sometimes there is only one key that needs to be shared by services, so you won't have any way to disable access from one individually. In this talk we will go through Managed Identities for Azure Resources, how they work, and how you can use them to use Azure services in a secure way without having to manage any keys yourself. We will go through a demo application which uses various Azure services through a managed identity, removing the need to use keys entirely. The source code will be available to the audience so they have samples that they can use to implement managed identities in their own applications.

1. Zero Credential Development
with Managed Identities for
Azure Resources
Joonas Westlin, Zure Ltd

2. Speaker Intro
• Joonas Westlin
• Developer / Architect @ Zure
• Global #1 on Stack Overflow for Azure
AD answers
@JoonasWestlin
joonasw.net

6. Hold on, Key Vault didn’t
help anything!

7. Keys need to be
managed
Keys need to be
rotated
Keys need to be
revoked
Key issues

8. How could we do this
better?

9. Managed Identities for Azure Resources
Managed by
Azure
Automatically
rotated
Easily revoked
Zero
Credentials

11. Oh yeah this service is free

12. System-assigned? User-assigned?
• System-assigned identities
tied to a resource like App
Service or a VM
• Deleted when the resource
is deleted
• User-assigned identities
can be assigned to multiple
resources
• A resource can have more
than one
• Independent lifecycle

13. Enabling System-assigned Identity

14. Enabling User-assigned Identity

15. Where can I use it?
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-
managed-identities
Virtual
Machines
VM Scale SetsFunctions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services

16. What can I access with it?
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-
managed-identities
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus

17. HTTP Request
App Service instance

18. It’s Demo Time!
https://westl.in/midemo

19. Advanced: Usage against custom APIs

20. Advanced: Usage against custom APIs

21. PowerShell to the rescue!

22. How about local
development?

24. https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/
Managed
Identity
Visual Studio AZ CLI
Windows
Authentication

25. Supported methods
• Managed Identity
• Visual Studio
• AZ CLI
• Integrated Windows Authentication
• Client id + secret
• Client id + certificate (can be local or in Key Vault)
• Advanced options unlocked by using connection string
https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication

26. My suggestions
• Use Visual Studio / AZ CLI / IWA for cases where it works
• RunAs=Developer; DeveloperTool=VisualStudio
• RunAs=Developer; DeveloperTool=AzureCli
• Use client id + secret / certificate where it does not
• RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={Client
Secret}
• RunAs=App;AppId={AppId};TenantId={TenantId};CertificateThum
bprint={Thumbprint};CertificateStoreLocation={LocalMachine or
CurrentUser}

27. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• .NET apps should use the AppAuthentication library
• Local development requires some effort

28. Links
• https://docs.microsoft.com/en-us/azure/active-
directory/managed-identities-azure-resources/overview
• https://github.com/juunas11/managedidentity-
filesharing
• https://github.com/juunas11/Joonasw.ManagedIdentityD
emos

29. @JoonasWestlin joonasw.net