AZ-204 Developing Solutions for Microsoft Azure Exam

Configure Managed Identities for Azure Resources

Managed identities provide an automatically managed identity in Microsoft Entra ID, allowing Azure services to authenticate without storing credentials in code. With no secrets to rotate or manage, Azure handles the identity lifecycle and key management behind the scenes. This approach reduces the risk of leaked passwords and simplifies security for developers. By using managed identities, teams can focus on building features instead of handling credential storage and rotation.

There are two main types of managed identities, each suited for different scenarios.

• System-assigned managed identity: Tied directly to one Azure resource and deleted with that resource.
• User-assigned managed identity: Created as a standalone resource that can be shared across multiple services.
  You can even enable both types on a single service to address complex scenarios or transition between identity models.

Enabling managed identities is straightforward across various tools. In the Azure portal, navigate to your resource’s Identity blade, switch the Status to On, and click Save. Using the Azure CLI, you can run commands like az webapp identity assign for App Services or az vm identity assign for virtual machines. In ARM templates, include an "identity" property with "type": "SystemAssigned", "UserAssigned", or both.

Once identities are active, you grant them permissions via Azure role-based access control (RBAC) or service-specific policies. Common role assignments include:

• Key Vault Secrets User for accessing secrets.
• Storage Blob Data Contributor for blob storage operations.
• SQL DB Contributor for database tasks.
  In the portal, open Access control (IAM), choose Add role assignment, select Managed identity, and pick your identity. Alternatively, use az role assignment create --assignee <clientId> --role <role> --scope <resourceId> to automate this step.

Using managed identities in application code is seamless with Azure SDKs and the instance metadata service. In .NET, you can instantiate DefaultAzureCredential and set ManagedIdentityClientId for user-assigned identities. Java and Node.js use DefaultAzureCredentialBuilder().managedIdentityClientId(...). In Python, pass managed_identity_client_id to DefaultAzureCredential. At runtime, the SDK fetches tokens from the metadata endpoint, handling token caching and renewal automatically.

Conclusion

In this section, you learned how managed identities remove the need for hard-coded credentials by providing Azure AD–managed identities for resources. You explored the differences between system-assigned and user-assigned identities and how they can be enabled via the portal, CLI, or ARM templates. You also saw how to grant roles with RBAC or service policies and how to integrate these identities into application code using Azure SDKs. Together, these concepts help keep credentials secure and simplify access management in your Azure solutions.