Configure managed identities for Azure resources on virtual machine scale sets using PowerShell

Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

In this article, using PowerShell, you learn how to perform the managed identities for Azure resources operations on a virtual machine scale set:

• Enable and disable the system-assigned managed identity on a virtual machine scale set
• Add and remove a user-assigned managed identity on a virtual machine scale set

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Prerequisites

• If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user managed assigned identity.

• If you don't already have an Azure account, sign up for a free account before continuing.

• To perform the management operations in this article, your account needs the following Azure role-based access control assignments:

  Note

  No additional Azure AD directory role assignments required.

  • Virtual Machine Contributor to create a virtual machine scale set and enable and remove system-assigned managed and/or user-assigned managed identity from a virtual machine scale set.
  • Managed Identity Contributor role to create a user-assigned managed identity.
  • Managed Identity Operator role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.

• To run the example scripts, you have two options:

  • Use the Azure Cloud Shell, which you can open using the Try It button on the top-right corner of code blocks.
  • Run scripts locally by installing the latest version of Azure PowerShell, then sign in to Azure using Connect-AzAccount.

System-assigned managed identity

In this section, you learn how to enable and remove a system-assigned managed identity using Azure PowerShell.

Enable system-assigned managed identity during the creation of an Azure virtual machine scale set

To create a virtual machine scale set with the system-assigned managed identity enabled:

1. Refer to Example 1 in the New-AzVmssConfig cmdlet reference article to create a virtual machine scale set with a system-assigned managed identity. Add the parameter -IdentityType SystemAssigned to the New-AzVmssConfig cmdlet:

   $VMSS = New-AzVmssConfig -Location $Loc -SkuCapacity 2 -SkuName "Standard_A0" -UpgradePolicyMode "Automatic" -NetworkInterfaceConfiguration $NetCfg -IdentityType SystemAssigned`
   

Enable system-assigned managed identity on an existing Azure virtual machine scale set

If you need to enable a system-assigned managed identity on an existing Azure virtual machine scale set:

1. Make sure the Azure account you're using belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".

2. Retrieve the virtual machine scale set properties using the Get-AzVmss cmdlet. Then to enable a system-assigned managed identity, use the -IdentityType switch on the Update-AzVmss cmdlet:

   Update-AzVmss -ResourceGroupName myResourceGroup -Name -myVmss -IdentityType "SystemAssigned"
   

Disable the system-assigned managed identity from an Azure virtual machine scale set

If you have a virtual machine scale set that no longer needs the system-assigned managed identity but still needs user-assigned managed identities, use the following cmdlet:

1. Make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".

2. Run the following cmdlet:

   Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "UserAssigned"
   

3. If you have a virtual machine scale set that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following command:

   Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None
   

User-assigned managed identity

In this section, you learn how to add and remove a user-assigned managed identity from a virtual machine scale set using Azure PowerShell.

Assign a user-assigned managed identity during creation of an Azure virtual machine scale set

Creating a new virtual machine scale set with a user-assigned managed identity isn't currently supported via PowerShell. See the next section on how to add a user-assigned managed identity to an existing virtual machine scale set. Check back for updates.

Assign a user-assigned managed identity to an existing Azure virtual machine scale set

To assign a user-assigned managed identity to an existing Azure virtual machine scale set:

1. Make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".

2. Retrieve the virtual machine scale set properties using the Get-AzVM cmdlet. Then to assign a user-assigned managed identity to the virtual machine scale set, use the -IdentityType and -IdentityID switch on the Update-AzVmss cmdlet. Replace <VM NAME>, <SUBSCRIPTION ID>, <RESROURCE GROUP>, <USER ASSIGNED ID1>, USER ASSIGNED ID2 with your own values.

   Important

   When you create user-assigned managed identities, only alphanumeric characters (0-9, a-z, and A-Z) and the hyphen (-) are supported. For the assignment to a virtual machine or virtual machine scale set to work properly, the name is limited to 24 characters. For more information, see FAQs and known issues.

   Update-AzVmss -ResourceGroupName <RESOURCE GROUP> -Name <VMSS NAME> -IdentityType UserAssigned -IdentityID "<USER ASSIGNED ID1>","<USER ASSIGNED ID2>"
   

Remove a user-assigned managed identity from an Azure virtual machine scale set

If your virtual machine scale set has multiple user-assigned managed identities, you can remove all but the last one using the following commands. Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's name property, which should remain on the virtual machine scale set. This information can be found in the identity section of the virtual machine scale set using az vmss show:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType UserAssigned -IdentityID "<USER ASSIGNED IDENTITY NAME>"

If your virtual machine scale set doesn't have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None

If your virtual machine scale set has both system-assigned and user-assigned managed identities, you can remove all the user-assigned managed identities by switching to use only system-assigned managed identity.

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "SystemAssigned"

Next steps

• Managed identities for Azure resources overview

• For the full Azure VM creation Quickstarts, see:

  • Create a Windows virtual machine with PowerShell
  • Create a Linux virtual machine with PowerShell