AZ-500 Microsoft Azure Security Technologies Exam
Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!
Practice Test
Expert
Practice Test
ExpertManage managed identities
Configure and Verify Managed Identities
Managed identities in Azure provide a way for services to authenticate to other resources without the need for hard-coded credentials. They are special accounts in Microsoft Entra ID that Azure manages automatically. By using these identities, applications and services can request tokens to access Azure resources securely. This approach reduces the risk of credential exposure and simplifies security management. Overall, managed identities help maintain a strong security posture with minimal manual effort.
There are two main types of managed identities: system-assigned and user-assigned.
- System-assigned identities are tied directly to a single Azure resource. When the resource is deleted, the identity is automatically removed, preventing orphaned accounts.
- User-assigned identities exist independently and can be linked to multiple resources. These identities persist beyond the lifecycle of any one resource, offering more flexibility for shared scenarios.
To configure a managed identity, you enable it on compute or PaaS resources through the Azure portal, CLI, or PowerShell. Once enabled, Azure creates a service principal in Microsoft Entra ID. You can then verify that the identity is active by checking the Enterprise applications blade or running specific CLI commands. It’s important to confirm that the identity appears as expected before assigning any permissions.
After enabling a managed identity, you use Azure Role-Based Access Control (RBAC) to grant it the precise permissions it needs. Assigning the least-privilege roles ensures that the identity can perform its required tasks and nothing more. You select a scope—such as a resource group or subscription—and assign a role like Reader or Contributor based on the workload demands. This practice helps prevent over-permissioning and improves overall security.
Once roles are assigned, you should inspect the resulting service principal objects in Microsoft Entra ID. This step confirms that the identity has the correct role assignments. Finally, audit all access through Azure Activity Logs and Sign-in Logs. Reviewing these logs allows you to track when tokens are requested and which resources are accessed, providing an extra layer of monitoring and ensuring accountability.
Conclusion
In this section, you learned how managed identities simplify secure authentication by removing hard-coded credentials. You explored both system-assigned and user-assigned identities, noting their lifecycle and flexibility differences. You also saw how to enable identities on Azure resources and inspect the automatically created service principals.
Finally, you learned to apply Azure RBAC for least-privilege access and to monitor identity usage through Activity and Sign-in Logs. Together, these practices ensure that your applications and services authenticate and authorize securely, while keeping your Azure environment under tight control.