![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 27%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGK%3C/text%3E%3C/svg%3E)
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 6%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Gowtham K
Thank you for posting your query on Microsoft Q&A portal.
User-assigned managed identities (UAMI) are not supported on Azure Arc‑enabled servers today. Only system‑assigned managed identity (SAMI) is supported for Azure Arc–enabled machines.
This limitation is real, even though it is not clearly stated in the public documentation. Internal sources confirm this.
1. Azure Arc documentation explicitly states that only system-assigned MI is supported
In Identity and access management with Azure Arc-enabled servers, the Microsoft documentation says:
“Arc-enabled servers require a system-assigned managed identity.” [Identity a...soft Learn | Learn.Microsoft.com]
No mention of user-assigned MI support.
2. SQL Server enabled by Azure Arc also clarifies the same
“Only system-assigned managed identities are supported.” [Managed id...soft Learn | Learn.Microsoft.com]
3. Internal Microsoft incident confirms UAMI is not supported
In an Azure Arc / Geneva monitoring Sev‑3 incident:
“User Assigned Managed Identity is not applicable for Azure Arc servers,” and the team had to migrate to resource-type–based ACLs instead. [RE: [PROD]...d Identity | Outlook]
These internal notes reaffirm the product limitation.
Why UAMI Doesn’t Work on Arc Machines
Azure Arc uses the Hybrid Instance Metadata Service (HIMDS) to issue tokens. HIMDS currently supports only the system-assigned identity created when the Arc agent is onboarded.
Unlike Azure VMs, Arc-enabled machines cannot attach UAMIs in the resource identity blade, because:
✔ There is no identity blade ✔ There is no mechanism to inject multiple identities into HIMDS ✔ HIMDS has no current support for selecting a specific UAMI
Current Workarounds / Alternatives
Although UAMI is not supported, there are practical alternatives depending on your scenario.
1. Use System-Assigned MI + RBAC Scoping (recommended)
You can scope the SAMI of the Arc machine to exactly the same RBAC permissions you intended to use with a UAMI:
- Assign roles at resource, resource group, or subscription level.
- Use this as a least‑privilege identity.
This is the only supported method for Arc machines today.
2. For Geneva Monitoring / custom agents – use Resource-Type ACLs
This was the workaround used internally:
“Since UAMI is not applicable for Arc servers, we had to use resource-type-based ACLs (providers/Microsoft.HybridCompute/machines).” This works for Geneva monitoring and other custom workloads where the token verifier supports resource-type identities.
3. Use Service Principal (App Registration) where technically allowed
Not ideal, but sometimes acceptable for:
- Legacy automation
- Agents that cannot use SAMI
Azure Arc's HIMDS supports token issuance only for SAMI, so apps requiring UAMI must authenticate using a service principal until support is added.
Hope this helps you get closer to a solution! Let me know if you have any further questions!
