Share via

Use one user assigned managed-identity for all subscriptions VS. Use one user assinged managed-identity for each subscription

Siqing Zheng 110 Reputation points
2024-06-15T03:02:13.06+00:00

Hi,
In CMEK scenario, according to this article: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal. PLUS DiskEncryptionSet on AKS usage.

1, Can I use one userassinged managed-identity for all subscription and cross all region?

2, What is the pros and cons to use one managed-Identity for all VS create and use user-assigned managed-identity for each subscription?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,166 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,950 questions
0 comments
Accepted answer
  1. Shweta Mathur 29,016 Reputation points Microsoft Employee
    2024-06-17T06:40:46.35+00:00

    Hi Siqing Zheng,

    Adding to @akinbade abiola

    The main advantage of using a single managed identity for all subscriptions is that it simplifies management and reduces the number of identities that need to be created and managed. This can be especially useful if you have a large number of subscriptions or if you frequently create and delete subscriptions.

    On the other hand, using a user-assigned managed identity for each subscription provides more granular control over access and can help to limit the blast radius in case of a security breach. Additionally, using separate identities can make it easier to track which identity is being used by which subscription.

    Ultimately, the decision of whether to use a single managed identity or multiple user-assigned managed identities will depend on your specific requirements and security needs.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 6,420 Reputation points
    2024-06-15T06:04:03.2333333+00:00

    Hello Siqing Zheng,

    Thanks for your question.

    User-assigned managed identities are created as standalone Azure resources and can be used by multiple Azure resources and subscriptions (as long as they are in the same tenant). So yes they can.

    For the pros and cons, I will recommend you take a look at the best practices below:

    Managed identity best practice recommendations

    Please let me know if you have further questions**

    You can mark it 'Accept Answer' if this helped you

    1 person found this answer helpful.
    0 comments