Unable to access KeyVault using User Managed Identity

Question

Unable to access KeyVault using User Managed Identity

Nicke Manarin 20

I created a Key Vault and added a secret to it.
User's image

Then I created a Managed Identity and added the Key Vault Secrets User role, assigning to the base subscription the same way I did for my CDN managed identity which is working as expected.
User's image

Not sure if necessary, but I added the identity in the api > Identity as well:

User's image

Then I try using the credential to get the secret:

TokenCredential credential;
          
if (!string.IsNullOrWhiteSpace(settings!.ManagedIdentityId))
  credential = new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedClientId(settings.ManagedIdentityId));
else
  credential = new DefaultAzureCredential(); //In debug, it works normally because I use my VS login.
        
//Connect to Key Vault.
var secretClient = new SecretClient(new Uri(settings.KeyVaultUrl), credential);

KeyVaultSecret privateSecret = secretClient.GetSecret("my-private-key");

After running and trying to access any endpoint, I get this exception:

Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Error Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId. Managed Identity Correlation ID: 4422b072-8eff-4006-8562-ea6c9be2bf70 Use this Correlation ID for further investigation.
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---&gt; MSAL.NetCore.4.78.0.0.MsalServiceException:
	ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Error Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId. Managed Identity Correlation ID: 4422b072-8eff-4006-8562-ea6c9be2bf70 Use this Correlation ID for further investigation.
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.&lt;&gt;c__DisplayClass11_1.&lt;&lt;RunAsync&gt;b__1&gt;d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentity(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

I dont know what's happening.
Trying to access manually the URL of the key vault gives me a 404.
Trying to use the Kudu CLI to run this call fails: "curl -v -H "Metadata:true" "http://<IPREDACTED>/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://vault.azure.net""

Note: IP Redacted at support side.

Manas Mohanty 16,190 Reputation points Microsoft External Staff Moderator

2026-03-08T07:39:29.66+00:00
Hi Nicke Manarin

Listing few Possible reasonsThe identity is NOT attached to the compute where your code runs1. Assigning Key Vault Secrets User on the subscription only grants permissions if the identity is used. It does not attach the identity to your App Service / Function / Container App / VM.

You must add the UAMI under the hosting resource’s Identity → User assigned → Add.

Please assign the managed identity on Key vault resource level.

Please modify Access control list too to isolate the issue.

Please cross check by a fetching a token and reviewing client code as TP suggested.

Attached relevant troubleshooting guide for reference

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-user-assigned-identity

https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#authenticate-with-defaultazurecredential (For official code)

https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

Thank you.

Nicke Manarin 20

Hi Manas Mohanty, the user idendity is attached to the AppService > Identity > User Assigned (check the third screenshot).

I ran a script in Kudu PowerShell and I was able to grab the Key Vault secret using the managed identity:

$wc = New-Object System.Net.WebClient
$header = $env:IDENTITY_HEADER
$wc.Headers.Add("x-identity-header", $header)
$uri 
http://127.0.0.1:41433/msi/token/?api-version=2019-08-01&resource=https://vault.azure.net&client_id=67f10a50-...
$rawJson = $wc.DownloadString($uri)
$token = (ConvertFrom-Json $rawJson).access_token

$wc.Headers.Clear()
$wc.Headers.Add("Authorization", "Bearer $token")
$vault = "my-vault"
$secret = "my-private-key"
$wc.DownloadString("https://$vault.vault.azure.net/secrets/${secret}?api-version=7.3")

result: '{ value: '...' }' //Secret here

I don't know what you mean by "Modifying Access control list", but I added the manage identity with the "Key Vault Secrets User" role directly to the Key Vault resource as well:

User's image

You can see that the managed identity is associated with my AppService:

User's image

1 answer

Your answer

Manas Mohanty 16,190 Reputation points Microsoft External Staff Moderator

2026-03-08T07:39:29.66+00:00

Hi Nicke Manarin

Listing few Possible reasonsThe identity is NOT attached to the compute where your code runs1. Assigning Key Vault Secrets User on the subscription only grants permissions if the identity is used. It does not attach the identity to your App Service / Function / Container App / VM.

You must add the UAMI under the hosting resource’s Identity → User assigned → Add.

Please assign the managed identity on Key vault resource level.

Please modify Access control list too to isolate the issue.

Please cross check by a fetching a token and reviewing client code as TP suggested.

Attached relevant troubleshooting guide for reference

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-user-assigned-identity

https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#authenticate-with-defaultazurecredential (For official code)

https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

Thank you.
Nicke Manarin 20 Reputation points

2026-03-08T15:30:09.11+00:00

Hi Manas Mohanty, the user idendity is attached to the AppService > Identity > User Assigned (check the third screenshot).

I ran a script in Kudu PowerShell and I was able to grab the Key Vault secret using the managed identity:

$wc = New-Object System.Net.WebClient $header = $env:IDENTITY_HEADER $wc.Headers.Add("x-identity-header", $header) $uri http://127.0.0.1:41433/msi/token/?api-version=2019-08-01&resource=https://vault.azure.net&client_id=67f10a50-... $rawJson = $wc.DownloadString($uri) $token = (ConvertFrom-Json $rawJson).access_token $wc.Headers.Clear() $wc.Headers.Add("Authorization", "Bearer $token") $vault = "my-vault" $secret = "my-private-key" $wc.DownloadString("https://$vault.vault.azure.net/secrets/${secret}?api-version=7.3") result: '{ value: '...' }' //Secret here

I don't know what you mean by "Modifying Access control list", but I added the manage identity with the "Key Vault Secrets User" role directly to the Key Vault resource as well:

You can see that the managed identity is associated with my AppService:

Answer 1

TP 155.5K Volunteer Moderator

Hi Nicke,

To help troubleshoot, please see if you can retrieve token for your user assigned managed identity manually via Kudu console, using command similar to below:

Windows

curl -H "x-identity-header: %IDENTITY_HEADER%" "%IDENTITY_ENDPOINT%?api-version=2019-08-01&resource=https://vault.azure.net&client_id=xxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx"

Linux

curl -H "x-identity-header: $IDENTITY_HEADER" "$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://vault.azure.net&client_id=xxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx"

If above is successful then you can take a closer look at your code. If above fails, please test again only this time see if you can retrieve token for system assigned managed identity.

Please reply back with your results, whether positive or negative.

Thanks.

-TP

Nicke Manarin 20 Reputation points

2026-03-08T14:11:34.59+00:00

I ran the command (replacing the client_id with the one from the managed identity) and it returned this:
TP 155.5K Reputation points Volunteer Moderator

2026-03-08T15:23:41.7866667+00:00

Below that should be JSON with access_token in green text, did you get that? Similar to below, except for the token wouldn't be redacted:

Nicke Manarin 20

Nothing else appeared after that result, just the "c:\home >" expecting a new command.
But I was able to grab the token and use it to grab the secret using this set of commands:

(Same as posted to an answer to Manas'):

$wc = New-Object System.Net.WebClient
$header = $env:IDENTITY_HEADER
$wc.Headers.Add("x-identity-header", $header)
$uri 
http://127.0.0.1:41433/msi/token/?api-version=2019-08-01&resource=https://vault.azure.net&client_id=67f10a50-...
$rawJson = $wc.DownloadString($uri)
$token = (ConvertFrom-Json $rawJson).access_token

$wc.Headers.Clear()
$wc.Headers.Add("Authorization", "Bearer $token")
$vault = "my-vault"
$secret = "my-private-key"
$wc.DownloadString("https://$vault.vault.azure.net/secrets/${secret}?api-version=7.3")

result: '{ value: '...' }' //Secret here

But my code on the AppService still fails:

//ManagedIdentityId is "67f10a50-..." while running on Azure.
if (!string.IsNullOrWhiteSpace(settings!.ManagedIdentityId))   
  credential = new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedClientId(settings.ManagedIdentityId));  else             
  credential = new DefaultAzureCredential();          

//Connect to Key Vault.
var secretClient = new SecretClient(new Uri(settings.KeyVaultUrl), credential);

KeyVaultSecret privateSecret = secretClient.GetSecret("my-private-key");

ManagedIdentityCredential authentication failed: [Managed Identity] Error Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId. Managed Identity Correlation ID: 5c0cb9d0-abeb-46a6-88f0-12a23b8e831e Use this Correlation ID for further investigation.

I added the role Key Vault Reader, but same result.

User's image

TP 155.5K Reputation points Volunteer Moderator

2026-03-08T16:09:37.4533333+00:00

Okay. The error you are getting doesn't relate to permissions on the vault. It is failing at the point it tries to retrieve the token from IMDS. For example, if the client_id GUID you are supplying is incorrect, it would give you that error.

Can you verify your code is retrieving correct client_id from the environment?
Nicke Manarin 20 Reputation points

2026-03-08T16:17:13.3633333+00:00

I see what happened, the access_token appears for 20ms, then disappears, I recorded the screen and paused on the frame:

Few milliseconds later I see this:
Nicke Manarin 20 Reputation points

2026-03-08T16:47:56.03+00:00

It's working now, I'm not sure what changed so I'm taking stuff out until it breaks again.

I added the Key Vault Reader besides the Key Vault Secrets User role.

Share via

Unable to access KeyVault using User Managed Identity

1 answer

Your answer