Exercise - Configure a system-assigned managed identity for an Azure VM


The virtual machine (VM) that hosts your app has been deployed in Azure. You now need to enable a managed identity in the company's Azure subscription. The idea is to allow your stock-tracking app to access the Azure resources that it needs.

In this unit, you'll create a system-assigned managed identity for your VM. You'll see how to access Azure resources from inside the identity.

Set up the environment

  1. Create an instance of Azure Key Vault to store your company's private data. Every Azure Key Vault name needs to be globally unique.

    export VMNAME=prodserver
    export KVNAME=furniture-secrets$RANDOM
    az keyvault create --name $KVNAME \
        --resource-group <rgn>[Sandbox resource group]</rgn> \
        --default-action Allow \
        --location $(az resource list --output tsv --query [0].location) \
        --sku standard
  2. Create a VM to host your company's app. Store the public IP address in an environment variable.

    export publicIP=$(az vm create \
        --name $VMNAME \
        --resource-group <rgn>[Sandbox resource group]</rgn> \
        --image UbuntuLTS \
        --generate-ssh-keys \
        --output tsv \
        --query "publicIpAddress")


    Creating the VM can take a few minutes.

Configure a system-assigned managed identity for an Azure VM

  1. Assign a system-assigned managed identity to the VM.

    az vm identity assign \
      --name $VMNAME \
      --resource-group <rgn>[Sandbox resource group]</rgn>

    This command should return a response that shows the managed identity. Here's an example response:

        "systemAssignedIdentity": "a78ddd60-183b-4e27-9f0d-c11a11c417d8",
        "userAssignedIdentities": {}

Use your key vault to store a secret

  1. Add your connection string to the key vault.

    az keyvault secret set \
      --vault-name $KVNAME \
      --name DBCredentials \
      --value "Server=tcp:prodserverSQL.database.windows.net,1433;Database=myDataBase;User ID=mylogin@myserver;Password=examplePassword;Trusted_Connection=False;Encrypt=True;"
  2. Make a note of your key vault name.

    echo $KVNAME

Set up the VM for your company's stock-tracking app

  1. Use SSH to access your VM.

    ssh $publicIP

    At the prompt, type yes.

  2. For the next exercise, download and install the .NET Core version on the VM that will be used by the module's sample app.

    sudo snap install dotnet-sdk --classic --channel=3.1


    Installing the .NET SDK can take a few minutes to complete.

  3. Download the source code for this module's sample app.

    git clone https://github.com/MicrosoftDocs/mslearn-authenticate-apps-with-managed-identities identity
  4. End the SSH session.