Configure managed identities for Azure resources on an Azure VM using Azure CLI

Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, using the Azure CLI, you learn how to perform the following managed identities for Azure resources operations on an Azure VM:

• Enable and disable the system-assigned managed identity on an Azure VM
• Add and remove a user-assigned managed identity on an Azure VM

If you don't already have an Azure account, sign up for a free account before continuing.

Prerequisites

• If you're unfamiliar with managed identities for Azure resources, see What are managed identities for Azure resources?. To learn about system-assigned and user-assigned managed identity types, see Managed identity types.

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

System-assigned managed identity

In this section, you learn how to enable and disable the system-assigned managed identity on an Azure VM using Azure CLI.

Enable system-assigned managed identity during creation of an Azure VM

To create an Azure VM with the system-assigned managed identity enabled, your account needs the Virtual Machine Contributor role assignment. No other Azure AD directory role assignments are required.

1. Create a resource group for containment and deployment of your VM and its related resources, using az group create. You can skip this step if you already have resource group you would like to use instead:

   az group create --name myResourceGroup --location westus
   

2. Create a VM using az vm create. The following example creates a VM named myVM with a system-assigned managed identity, as requested by the --assign-identity parameter, with the specified --role and --scope. The --admin-username and --admin-password parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

   az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --role contributor --scope mySubscription --admin-username azureuser --admin-password myPassword12
   

Enable system-assigned managed identity on an existing Azure VM

To enable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. No other Azure AD directory role assignments are required.

1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription that contains the VM.

   az login
   

2. Use az vm identity assign with the identity assign command enable the system-assigned identity to an existing VM:

   az vm identity assign -g myResourceGroup -n myVm
   

Disable system-assigned identity from an Azure VM

To disable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. No other Azure AD directory role assignments are required.

If you have a Virtual Machine that no longer needs the system-assigned identity, but still needs user-assigned identities, use the following command:

az vm update -n myVM -g myResourceGroup --set identity.type='UserAssigned' 

If you have a virtual machine that no longer needs system-assigned identity and it has no user-assigned identities, use the following command:

Note

The value none is case sensitive. It must be lowercase.

az vm update -n myVM -g myResourceGroup --set identity.type="none"

User-assigned managed identity

In this section, you will learn how to add and remove a user-assigned managed identity from an Azure VM using Azure CLI. If you create your user-assigned managed identity in a different RG than your VM. You'll have to use the URL of your managed identity to assign it to your VM. For example:

--identities "/subscriptions/<SUBID>/resourcegroups/<RESROURCEGROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER_ASSIGNED_ID_NAME>"

Assign a user-assigned managed identity during the creation of an Azure VM

To assign a user-assigned identity to a VM during its creation, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. No other Azure AD directory role assignments are required.

1. You can skip this step if you already have a resource group you would like to use. Create a resource group for containment and deployment of your user-assigned managed identity, using az group create. Be sure to replace the <RESOURCE GROUP> and <LOCATION> parameter values with your own values. :

   az group create --name <RESOURCE GROUP> --location <LOCATION>
   

2. Create a user-assigned managed identity using az identity create. The -g parameter specifies the resource group where the user-assigned managed identity is created, and the -n parameter specifies its name.

   Important

   When you create user-assigned managed identities, only alphanumeric characters (0-9, a-z, and A-Z) and the hyphen (-) are supported. For the assignment to a virtual machine or virtual machine scale set to work properly, the name is limited to 24 characters. For more information, see FAQs and known issues.

   az identity create -g myResourceGroup -n myUserAssignedIdentity
   

   The response contains details for the user-assigned managed identity created, similar to the following. The resource ID value assigned to the user-assigned managed identity is used in the following step.

   {
       "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
       "clientSecretUrl": "https://control-westcentralus.identity.azure.net/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentity>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
       "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>",
       "location": "westcentralus",
       "name": "<USER ASSIGNED IDENTITY NAME>",
       "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
       "resourceGroup": "<RESOURCE GROUP>",
       "tags": {},
       "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
       "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
   }
   

3. Create a VM using az vm create. The following example creates a VM associated with the new user-assigned identity, as specified by the --assign-identity parameter, with the specified --role and --scope. Be sure to replace the <RESOURCE GROUP>, <VM NAME>, <USER NAME>, <PASSWORD>, <USER ASSIGNED IDENTITY NAME>, <ROLE>, and <SUBSCRIPTION> parameter values with your own values.

   az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY NAME> --role <ROLE> --scope <SUBSCRIPTION> 
   

Assign a user-assigned managed identity to an existing Azure VM

To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. No other Azure AD directory role assignments are required.

1. Create a user-assigned identity using az identity create. The -g parameter specifies the resource group where the user-assigned identity is created, and the -n parameter specifies its name. Be sure to replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

   Important

   Creating user-assigned managed identities with special characters (i.e. underscore) in the name is not currently supported. Please use alphanumeric characters. Check back for updates. For more information, see FAQs and known issues

   az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
   

   The response contains details for the user-assigned managed identity created, similar to the following.

   {
     "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
     "clientSecretUrl": "https://control-westcentralus.identity.azure.net/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
     "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>",
     "location": "westcentralus",
     "name": "<USER ASSIGNED IDENTITY NAME>",
     "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
     "resourceGroup": "<RESOURCE GROUP>",
     "tags": {},
     "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
     "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
   }
   

2. Assign the user-assigned identity to your VM using az vm identity assign. Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's resource name property, as created in the previous step. If you created your user-assigned managed identity in a different RG than your VM. You'll have to use the URL of your managed identity.

   az vm identity assign -g <RESOURCE GROUP> -n <VM NAME> --identities <USER ASSIGNED IDENTITY>
   

Remove a user-assigned managed identity from an Azure VM

To remove a user-assigned identity to a VM, your account needs the Virtual Machine Contributor role assignment.

If this is the only user-assigned managed identity assigned to the virtual machine, UserAssigned will be removed from the identity type value. Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. The <USER ASSIGNED IDENTITY> will be the user-assigned identity's name property, which can be found in the identity section of the virtual machine using az vm identity show:

az vm identity remove -g <RESOURCE GROUP> -n <VM NAME> --identities <USER ASSIGNED IDENTITY>

If your VM does not have a system-assigned managed identity and you want to remove all user-assigned identities from it, use the following command:

Note

The value none is case sensitive. It must be lowercase.

az vm update -n myVM -g myResourceGroup --set identity.type="none" identity.userAssignedIdentities=null

If your VM has both system-assigned and user-assigned identities, you can remove all the user-assigned identities by switching to use only system-assigned. Use the following command:

az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' identity.userAssignedIdentities=null 

Next steps

• Managed identities for Azure resources overview
• For the full Azure VM creation Quickstarts, see:
  • Create a Windows virtual machine with CLI
  • Create a Linux virtual machine with CLI