Use managed identities for applications in Azure Spring Apps
Note
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.
This article applies to: ✔️ Basic/Standard ✔️ Enterprise
This article shows you how to use system-assigned and user-assigned managed identities for applications in Azure Spring Apps.
Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.
Feature status
| System-assigned | User-assigned |
|---|---|
| GA | GA |
Manage managed identity for an application
For system-assigned managed identities, see How to enable and disable system-assigned managed identity.
For user-assigned managed identities, see How to assign and remove user-assigned managed identities.
Obtain tokens for Azure resources
An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
You can configure the target resource to enable access from your application. For more information, see Assign a managed identity access to an Azure resource or another resource. For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see Azure services that support Microsoft Entra authentication.
Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, as well as guidance on important topics like handling token expiration and HTTP errors, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.
Examples of connecting Azure services in application code
The following table provides links to articles that contain examples:
Best practices when using managed identities
We highly recommend that you use system-assigned and user-assigned managed identities separately unless you have a valid use case. If you use both kinds of managed identity together, failure might happen if an application is using system-assigned managed identity and the application gets the token without specifying the client ID of that identity. This scenario might work fine until one or more user-assigned managed identities are assigned to that application, then the application might fail to get the correct token.
Limitations
Maximum number of user-assigned managed identities per application
For the maximum number of user-assigned managed identities per application, see Quotas and Service Plans for Azure Spring Apps.
Concept mapping
The following table shows the mappings between concepts in Managed Identity scope and Microsoft Entra scope:
| Managed Identity scope | Microsoft Entra scope |
|---|---|
| Principal ID | Object ID |
| Client ID | Application ID |