Sự kiện
21 giờ 17 thg 3 - 10 giờ 21 thg 3
Tham gia chuỗi buổi gặp gỡ để xây dựng các giải pháp AI có thể mở rộng dựa trên các trường hợp sử dụng trong thế giới thực với các nhà phát triển và chuyên gia đồng nghiệp.
Đăng ký ngayUse managed identities for applications in Azure Spring Apps
Lưu ý
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.
This article applies to: ✅ Basic/Standard ✅ Enterprise
This article shows you how to use system-assigned and user-assigned managed identities for applications in Azure Spring Apps.
Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.
| System-assigned | User-assigned |
|---|---|
| GA | GA |
For system-assigned managed identities, see How to enable and disable system-assigned managed identity.
For user-assigned managed identities, see How to assign and remove user-assigned managed identities.
An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
You can configure the target resource to enable access from your application. For more information, see Assign a managed identity access to an Azure resource or another resource. For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see Azure services that support Microsoft Entra authentication.
Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, as well as guidance on important topics like handling token expiration and HTTP errors, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.
The following table provides links to articles that contain examples:
We highly recommend that you use system-assigned and user-assigned managed identities separately unless you have a valid use case. If you use both kinds of managed identity together, failure might happen if an application is using system-assigned managed identity and the application gets the token without specifying the client ID of that identity. This scenario might work fine until one or more user-assigned managed identities are assigned to that application, then the application might fail to get the correct token.
For the maximum number of user-assigned managed identities per application, see Quotas and Service Plans for Azure Spring Apps.
The following table shows the mappings between concepts in Managed Identity scope and Microsoft Entra scope:
| Managed Identity scope | Microsoft Entra scope |
|---|---|
| Principal ID | Object ID |
| Client ID | Application ID |
Tài nguyên bổ sung
Đào tạo
Chứng chỉ
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.