Secure access with managed identities

1. Secure access with managed identities

Welcome to this video on Managed Identities for Azure Resources. Today, we’ll see how Azure helps your apps connect to services securely without the hassle of managing secrets yourself.

2. The problem with secrets

Have you ever hardcoded a secret or password to connect your app to a Azure service? It’s risky and hard to rotate or protect.

3. Managed identity

That’s why Azure provides Managed Identity. Azure creates a trusted identity in Microsoft Entra ID for your resource, like virtual machine or web app. This identity lets the resource securely access other services, such as Storage, without storing secrets.

4. How it works?

A managed identity is a special type of service principal, fully managed by Azure. Azure automatically creates, rotates, and deletes credentials when no longer needed.

5. Example: PeopleSphere HR app

For example, in PeopleSphere’s HR app, the payroll module accesses Key Vault through a managed identity without storing secrets or writing extra code.

6. System-assigned managed identity

There are two types of managed identities. First up System Assigned. Here’s how it works: First, enable it on an Azure resource like a Virtual Machine. Azure then automatically creates an identity in Microsoft Entra ID and no secrets or manual setup needed. Next, this identity is tightly tied to the resource. If the VM is deleted, the identity is deleted too. It cannot be reused across other services. Finally, to let this resource talk to something like Key Vault or Storage, you assign permissions through Azure RBAC. It’s ideal for workloads confined to one resource.

7. User-assigned managed identity

Now let’s check out the second type, User Assigned Managed Identity. Unlike system-assigned, this identity is created separately, as its own Azure resource. It works best when multiple resources share one identity. For example, in a microservices app, several services running in separate App Services may all need the same read access to a central Azure Storage account. It’s reusable. The identity isn’t tied to any single resource. If you delete the resource, the identity still exists and can be used elsewhere. And just like system assigned, you grant access using Azure RBAC to services like Key Vault or Storage. It’s a great fit when multiple resources share the same identity.

8. System vs. user-assigned: key differences

We’ve now seen both types of managed identities. Let’s compare them. System-assigned identities are created with the resource and deleted with it. They’re ideal for single resource scenarios and aren’t reusable. User-assigned identities, on the other hand, are created separately. They are attached to multiple resources and persist even if a resource is deleted. Both use Azure RBAC for access but user assigned offers more flexibility.

9. What services support managed identities?

You can use Managed Identities with any Azure service that supports Entra ID authentication. This includes popular services like Virtual Machines, App Services, Functions, Key Vault, and Azure Storage and more. The idea is the same across all services. For the full list, check the official Microsoft documentation linked on the slide.

10. Let's practice!

You've got the knowledge, now let's dive into some hands on practice.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.