Salesforce, Python, SQL, & other ways to put your data where you need it

Need event music? 🎸

Live and recorded jazz, pop, and meditative music for your virtual conference / Zoom wedding / yoga class / private party with quality sound and a smooth technical experience

Entra/Azure System-Assigned Managed Identity FAQ

01 Feb 2024 🔖 security tutorial
💬 EN

Table of Contents

Below are a few frequently asked questions about Microsoft Entra / Azure System-Assigned Managed Identities.

Many thanks to colleagues who helped me a lot with editing the wording when I wrote a similar document for internal training.

What is a System-Assigned Managed Identity?

System-Assigned Managed Identity (“SMI”) is a type of Entra identity meant to represent a nonhuman actor.

More specifically, it is often the preferred way to represent an Azure resource.

Context

In the model of access control where authentication (“proving a nonhuman is who it says it is”) and authorization (“proving a given, authenticated nonhuman is permitted to do what it is trying to do”), a SMI helps solve problems related to authentication. 👥

If you are interested in matters of authorization (🔐) so that you can allow a SMI to do useful tasks, you might be interested in articles such as:

Vocab

  1. Microsoft Entra ID, or “Entra” for short, is the new name for what was known as “Azure Active Directory” or “AAD.”
  2. SMIs always come with an attached companion Entra identity called a Service Principal, to which authorization is actually granted in practice.
  3. Service Principals are sometimes known as “Enterprise Applications” in the Entra web portal.

</div>

Advantages

The following properties of SMIs help adhere to the security principle of least privilege:

  1. A SMI inherently cannot represent more than 1 Azure resource at a time.
  2. If an Azure resource is deleted, the corresponding SMI is automatically deleted with it.

Example

An Azure App Service may need to be able to read files from an Azure Storage Blob.

The Azure App Service could meet its authentication needs by being provisioned with a SMI attached to it.

When do I need a System-Assigned Managed Identity?

During your workload’s runtime, any Azure resource that would like to initiate a behavior that requires special permissions is a candidate for being provisioned with a SMI.

  • Note that in the example above, the Azure App Service resource needed a SMI because it was initiating the access-restricted behavior.
  • However, the Storage Blob in the example above did not, because it was merely responding to the behavior. 👥
    • (Note: Configuring the Storage Blob as a permissible target for the behavior is a separate authorization challenge – most likely using an Azure RBAC Role Assignment. 🔐)

Colleagues helping you design your workload can help determine which components of your design may need SMIs.

Create a System-Assigned Managed Identity

Microsoft Learn does not contain a single document explaining how to create a SMI for all types of Azure resource, but their tutorial for Azure App Service resources is exactly the same as the process for most types of Azure resource.

Your company may provision Azure resources with SMIs by default.

  • If not, you may want to think about whether Azure resources in your workload need to be provisioned with a SMI ahead of time.
    • When in doubt, talk to colleagues helping you design your solution early and often about inter-resource access needs.
  • However, if you realize something was overlooked, SMIs can be added to an existing Azure resource later.
--- ---