Configure a managed identity for a dev center

This guide explains how to add and configure a managed identity for your Azure Deployment Environments dev center to enable secure deployment for development teams.

Azure Deployment Environments uses managed identities to give development teams self-serve deployment capabilities without giving them access to the subscriptions in which Azure resources are created. A managed identity adds elevated-privileges capabilities and secure authentication to any service that supports Microsoft Entra authentication.

The managed identity attached to a dev center should be assigned both the Contributor role and the User Access Administrator role in the deployment subscriptions for each environment type. When an environment deployment is requested, the service grants appropriate permissions to the deployment identities that are set up for the environment type to deploy on behalf of the user. The managed identity attached to a dev center also is used to add to a catalog and access environment definitions in the catalog.

Add a managed identity

In Azure Deployment Environments, you can choose between two types of managed identities:

  • System-assigned identity: A system-assigned identity is tied either to your dev center or to the project environment type. A system-assigned identity is deleted when the attached resource is deleted. A dev center or a project environment type can have only one system-assigned identity.
  • User-assigned identity: A user-assigned identity is a standalone Azure resource that you can assign to your dev center or to a project environment type. For Azure Deployment Environments, a dev center or a project environment type can have only one user-assigned identity.

As a security best practice, if you choose to use user-assigned identities, use different identities for your project and for your dev center. Project identities should have more limited access to resources compared to a dev center.

Note

In Azure Deployment Environments, if you add both a system-assigned identity and a user-assigned identity, only the user-assigned identity is used.

Add a system-assigned managed identity

  1. Sign in to the Azure portal and go to Azure Deployment Environments.

  2. On Dev centers, select your dev center.

  3. On the left menu under Settings, select Identity.

  4. Under System assigned, set Status to On.

  5. Select Save.

    Screenshot that shows the system-assigned managed identity.

  6. In the Enable system assigned managed identity dialog, select Yes.

Add a user-assigned managed identity

  1. Sign in to the Azure portal and go to Azure Deployment Environments.

  2. On Dev centers, select your dev center.

  3. On the left menu under Settings, select Identity.

  4. Under User assigned, select Add to attach an existing identity.

    Screenshot that shows the user-assigned managed identity.

  5. On Add user assigned managed identity, enter or select the following information:

    1. On Subscription, select the subscription in which the identity exists.
    2. On User assigned managed identities, select an existing identity.
    3. Select Add.

Assign a subscription role assignment

The identity attached to the dev center should be assigned the Contributor and User Access Administrator roles for all the deployment subscriptions and the Reader role for all subscriptions that contain the relevant project. When a user creates or deploys an environment, the service grants appropriate access to the deployment identity that's attached to the project environment type. The deployment identity uses the access to perform deployments on behalf of the user. You can use the managed identity to empower developers to create environments without granting them access to the subscription.

Add a role assignment to a system-assigned managed identity

  1. In the Azure portal, navigate to your dev center in Azure Deployment Environments.

  2. On the left menu under Settings, select Identity.

  3. Under System assigned > Permissions, select Azure role assignments.

    Screenshot that shows the Azure role assignment for system-assigned identity.

  4. To give Contributor access to the subscription, select Add role assignment (Preview), enter or select the following information, and then select Save:

    Name Value
    Scope Subscription
    Subscription Select the subscription in which to use the managed identity.
    Role Contributor
  5. To give User Access Administrator access to the subscription, select Add role assignment (Preview), enter or select the following information, and then select Save:

    Name Value
    Scope Subscription
    Subscription Select the subscription in which to use the managed identity.
    Role User Access Administrator

Add a role assignment to a user-assigned managed identity

  1. In the Azure portal, navigate to your dev center.

  2. On the left menu under Settings, select Identity.

  3. Under User assigned, select the identity.

  4. On the left menu, select Azure role assignments.

  5. To give Contributor access to the subscription, select Add role assignment (Preview), enter or select the following information, and then select Save:

    Name Value
    Scope Subscription
    Subscription Select the subscription in which to use the managed identity.
    Role Contributor
  6. To give User Access Administrator access to the subscription, select Add role assignment (Preview), enter or select the following information, and then select Save:

    Name Value
    Scope Subscription
    Subscription Select the subscription in which to use the managed identity.
    Role User Access Administrator

Grant the managed identity access to the key vault secret

You can set up your key vault to use either a key vault access policy or Azure role-based access control.

Note

Before you can add a repository as a catalog, you must grant the managed identity access to the key vault secret that contains the repository's personal access token.

Key vault access policy

If the key vault is configured to use a key vault access policy:

  1. In the Azure portal, go to the key vault that contains the secret with the personal access token.

  2. On the left menu, select Access policies, and then select Create.

  3. On Create an access policy, enter or select the following information:

    1. On the Permissions tab, under Secret permissions, select the Get checkbox, and then select Next.
    2. On the Principal tab, select the identity that's attached to the dev center.
    3. Select Review + create, and then select Create.

Azure role-based access control

If the key vault is configured to use Azure role-based access control:

  1. In the Azure portal, go to the key vault that contains the secret with the personal access token.

  2. On the left menu, select Access control (IAM).

  3. Select the identity, and in the left menu, select Azure role assignments.

  4. Select Add role assignment, and then enter or select the following information:

    1. For Scope, select the key vault.
    2. For Subscription, select the subscription that contains the key vault.
    3. For Resource, select the key vault.
    4. For Role, select Key Vault Secrets User.
    5. Select Save.