Training
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this article, learn about managing secrets and credentials to secure communication between services. Managed identities provide an automatically managed identity in Microsoft Entra ID. Applications use managed identities to connect to resources that support Microsoft Entra authentication, and to obtain Microsoft Entra tokens, without credentials management.
Benefits of using managed identities:
With managed identities, credentials are fully managed, rotated, and protected by Azure. Identities are provided and deleted with Azure resources. Managed identities enable Azure resources to communicate with services that support Microsoft Entra authentication.
No one, including those assigned privileged roles, have access to the credentials, which can't be accidentally leaked by being included in code.
Managed identities are best for communications among services that support Microsoft Entra authentication. A source system requests access to a target service. Any Azure resource can be a source system. For example, an Azure virtual machine (VM), Azure Function instance, and Azure App Services instances support managed identities.
Learn more in the video, What can a managed identity be used for?
With managed identities, the source system obtains a token from Microsoft Entra ID without owner credential management. Azure manages the credentials. Tokens obtained by the source system are presented to the target system for authentication.
The target system authenticates and authorizes the source system to allow access. If the target service supports Microsoft Entra authentication, it accepts an access token issued by Microsoft Entra ID.
Azure has a control plane and a data plane. You create resources in the control plane, and access them in the data plane. For example, you create an Azure Cosmos DB database in the control plane, but query it in the data plane.
After the target system accepts the token for authentication, it supports mechanisms for authorization for its control plane and data plane.
Azure control plane operations are managed by Azure Resource Manager and use Azure role-based access control (Azure RBAC). In the data plane, target systems have authorization mechanisms. Azure Storage supports Azure RBAC on the data plane. For example, applications using Azure App Services can read data from Azure Storage, and applications using Azure Kubernetes Service can read secrets stored in Azure Key Vault.
Learn more:
There are two types of managed identities, system- and user-assigned.
System-assigned managed identity:
User-assigned managed identity
To find managed identities, you can use:
In the Azure portal, in the left navigation, select Microsoft Entra ID.
In the left navigation, select Enterprise applications.
In the Application type column, under Value, select the down-arrow to select Managed Identities.
Use the following GET request to Microsoft Graph to get a list of managed identities in your tenant.
https://graph.microsoft.com/v1.0/servicePrincipals?$filter=(servicePrincipalType eq 'ManagedIdentity')
You can filter these requests. For more information, see GET servicePrincipal.
To assess managed identity security:
Examine privileges to ensure the least-privileged model is selected
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId <String>
Ensure the managed identity is not part of a privileged group, such as an administrators group.
Get-MgGroupMember -GroupId <String> [-All <Boolean>] [-Top <Int32>] [<CommonParameters>]
If you're using a service principal or a Microsoft Entra user account, evaluate the use of managed identities. You can eliminate the need to protect, rotate, and manage credentials.
Service accounts
Training
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.