Keys are always needed to access services in Azure and beyond. Storing and managing keys presents many problems, for example rotating and disabling them. Keys often also allow blanket access to the service with no way to limit it. Sometimes there is only one key that needs to be shared by services, so you won't have any way to disable access from one individually. In this talk we will go through Managed Identities for Azure Resources, how they work, and how you can use them to use Azure services in a secure way without having to manage any keys yourself. We will go through a demo application which uses various Azure services through a managed identity, removing the need to use keys entirely. The source code will be available to the audience so they have samples that they can use to implement managed identities in their own applications.
12. System-assigned? User-assigned?
• System-assigned identities
tied to a resource like App
Service or a VM
• Deleted when the resource
is deleted
• User-assigned identities
can be assigned to multiple
resources
• A resource can have more
than one
• Independent lifecycle
15. Where can I use it?
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-
managed-identities
Virtual
Machines
VM Scale SetsFunctions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services
16. What can I access with it?
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-
managed-identities
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus
25. Supported methods
• Managed Identity
• Visual Studio
• AZ CLI
• Integrated Windows Authentication
• Client id + secret
• Client id + certificate (can be local or in Key Vault)
• Advanced options unlocked by using connection string
https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication
26. My suggestions
• Use Visual Studio / AZ CLI / IWA for cases where it works
• RunAs=Developer; DeveloperTool=VisualStudio
• RunAs=Developer; DeveloperTool=AzureCli
• Use client id + secret / certificate where it does not
• RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={Client
Secret}
• RunAs=App;AppId={AppId};TenantId={TenantId};CertificateThum
bprint={Thumbprint};CertificateStoreLocation={LocalMachine or
CurrentUser}
27. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• .NET apps should use the AppAuthentication library
• Local development requires some effort