Managed identities for Form Recognizer

This article applies to: Form Recognizer v2.1 checkmark Form Recognizer v3.0. Form Recognizer v2.1 checkmark Form Recognizer v2.1.

Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources:

  • You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. Unlike security keys and authentication tokens, managed identities eliminate the need for developers to manage credentials.

  • To grant access to an Azure resource, assign an Azure role to a managed identity using Azure role-based access control (Azure RBAC).

  • There's no added cost to use managed identities in Azure.

Tip

Managed identities eliminate the need for you to manage credentials, including Shared Access Signature (SAS) tokens. Managed identities are a safer way to grant access to data without having credentials in your code.

Private storage account access

Private Azure storage account access and authentication are supported by managed identities for Azure resources. If you have an Azure storage account, protected by a Virtual Network (VNet) or firewall, Form Recognizer can't directly access your storage account data. However, once a managed identity is enabled, Form Recognizer can access your storage account using an assigned managed identity credential.

Note

Prerequisites

To get started, you'll need:

Managed identity assignments

There are two types of managed identity: system-assigned and user-assigned. Currently, Form Recognizer only supports system-assigned managed identity:

  • A system-assigned managed identity is enabled directly on a service instance. It isn't enabled by default; you must go to your resource and update the identity setting.

  • The system-assigned managed identity is tied to your resource throughout its lifecycle. If you delete your resource, the managed identity will be deleted as well.

In the following steps, we'll enable a system-assigned managed identity and grant Form Recognizer limited access to your Azure blob storage account.

Enable a system-assigned managed identity

Important

To enable a system-assigned managed identity, you need Microsoft.Authorization/roleAssignments/write permissions, such as Owner or User Access Administrator. You can specify a scope at four levels: management group, subscription, resource group, or resource.

  1. Sign in to the Azure portal using an account associated with your Azure subscription.

  2. Navigate to your Form Recognizer resource page in the Azure portal.

  3. In the left rail, Select Identity from the Resource Management list:

    Screenshot: resource management identity tab in the Azure portal.

  4. In the main window, toggle the System assigned Status tab to On.

Grant access to your storage account

You need to grant Form Recognizer access to your storage account before it can create, read, or delete blobs. Now that you've enabled Form Recognizer with a system-assigned managed identity, you can use Azure role-based access control (Azure RBAC), to give Form Recognizer access to Azure storage. The Storage Blob Data Reader role gives Form Recognizer (represented by the system-assigned managed identity) read and list access to the blob container and data.

  1. Under Permissions select Azure role assignments:

    Screenshot: enable system-assigned managed identity in Azure portal.

  2. An Azure role assignments page will open. Choose your subscription from the drop-down menu then select + Add role assignment.

    Screenshot: Azure role assignments page in the Azure portal.

    Note

    If you're unable to assign a role in the Azure portal because the Add > Add role assignment option is disabled or you get the permissions error, "you do not have permissions to add role assignment at this scope", check that you're currently signed in as a user with an assigned a role that has Microsoft.Authorization/roleAssignments/write permissions such as Owner or User Access Administrator at the Storage scope for the storage resource.

  3. Next, you're going to assign a Storage Blob Data Reader role to your Form Recognizer service resource. In the Add role assignment pop-up window complete the fields as follows and select Save:

    Field Value
    Scope Storage
    Subscription The subscription associated with your storage resource.
    Resource The name of your storage resource
    Role Storage Blob Data Reader—allows for read access to Azure Storage blob containers and data.

    Screenshot: add role assignments page in the Azure portal.

  4. After you've received the Added Role assignment confirmation message, refresh the page to see the added role assignment.

    Screenshot: Added role assignment confirmation pop-up message.

  5. If you don't see the change right away, wait and try refreshing the page once more. When you assign or remove role assignments, it can take up to 30 minutes for changes to take effect.

    Screenshot: Azure role assignments window.

That's it! You've completed the steps to enable a system-assigned managed identity. With managed identity and Azure RBAC, you granted Form Recognizer specific access rights to your storage resource without having to manage credentials such as SAS tokens.

Next steps