اقرأ باللغة الإنجليزية تحرير

مشاركة عبر

How to use managed identities for Azure resources on an Azure VM for sign-in

  • مقالة

This article provides PowerShell and CLI script examples for sign-in using managed identities for Azure resources service principal, and guidance on important topics such as error handling.

ملاحظة

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Prerequisites

  • If you're not familiar with the managed identities for Azure resources feature, see this overview. If you don't have an Azure account, sign up for a free account before you continue.

If you plan to use the Azure PowerShell or Azure CLI examples in this article, be sure to install the latest version of Azure PowerShell or Azure CLI.

هام

Overview

Managed identities for Azure resources provide a service principal object , which is created upon enabling managed identities for Azure resources on the VM. The service principal can be given access to Azure resources, and used as an identity by script/command-line clients for sign-in and resource access. Traditionally, in order to access secured resources under its own identity, a script client would need to:

  • be registered and consented with Microsoft Entra ID as a confidential/web client application
  • sign in under its service principal, using the app's credentials (which are likely embedded in the script)

With managed identities for Azure resources, your script client no longer needs to do either, as it can sign in under the managed identities for Azure resources service principal.

Azure CLI

The following script demonstrates how to:

  1. Sign in to Microsoft Entra ID under the VM's managed identity for Azure resources service principal

  2. Call Azure Resource Manager and get the VM's service principal ID. CLI takes care of managing token acquisition/use for you automatically. Be sure to substitute your virtual machine name for <VM-NAME>.

    az login --identity

$spID=$(az resource list -n <VM-NAME> --query [*].identity.principalId --out tsv)
echo The managed identity for Azure resources service principal ID is $spID

Azure PowerShell

The following script demonstrates how to:

  1. Sign in to Microsoft Entra ID under the VM's managed identity for Azure resources service principal

  2. Call an Azure Resource Manager cmdlet to get information about the VM. PowerShell takes care of managing token use for you automatically.

    Add-AzAccount -identity

# Call Azure Resource Manager to get the service principal ID for the VM's managed identity for Azure resources. 
$vmInfoPs = Get-AzVM -ResourceGroupName <RESOURCE-GROUP> -Name <VM-NAME>
$spID = $vmInfoPs.Identity.PrincipalId
echo "The managed identity for Azure resources service principal ID is $spID"

Resource IDs for Azure services

See Azure services that support Microsoft Entra authentication for a list of resources that support Microsoft Entra ID and have been tested with managed identities for Azure resources, and their respective resource IDs.

Error handling guidance

Responses such as the following may indicate that the VM's managed identity for Azure resources has not been correctly configured:

  • PowerShell: Invoke-WebRequest : Unable to connect to the remote server
  • CLI: MSI: Failed to retrieve a token from http://localhost:50342/oauth2/token with an error of 'HTTPConnectionPool(host='localhost', port=50342)

If you receive one of these errors, return to the Azure VM in the Azure portal and go to the Identity page and ensure System assigned is set to "Yes."

Next steps