Analytics and governanceComputeInfrastructure and securityBeginner23 min read

What Is Managed identity? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A managed identity is like a digital identity card for your Azure resource, such as a virtual machine or app. It lets your resource securely access other Azure services, like storage or databases, without you needing to handle passwords or keys. Azure takes care of creating and rotating the credentials automatically. You just assign the identity and grant it permissions.

Commonly Confused With

Managed identityvsService principal

A service principal is a manual entity you create in Azure AD for an application. You must manage its client secret or certificate and rotate it yourself. A managed identity is an automatically managed service principal for an Azure resource. Azure takes care of the secret rotation. Service principals are used for non-Azure resources or third-party integrations, while managed identities are used exclusively for Azure resources.

You create a service principal with a client secret for an external web app that needs to call Microsoft Graph. You enable a system-assigned managed identity for an Azure VM that needs to access Azure Storage.

Managed identityvsAzure AD Application Registration

An application registration is a concept in Azure AD that defines how an application authenticates users or services. A managed identity is a specific type of application registration that is created automatically for an Azure resource. With an application registration, you are responsible for configuring redirect URIs, client secrets, and certificates. With a managed identity, Azure configures everything for you.

You register an application for a mobile app that signs in users. That is an application registration. You enable a managed identity for an Azure Function that processes data from a queue. That is a managed identity.

Managed identityvsAzure Key Vault Reference

A Key Vault reference allows you to store a secret (like a password) in Azure Key Vault and reference it in an App Service configuration. This is more secure than hardcoding, but you still need to retrieve the secret at runtime. A managed identity eliminates the need for any secret at all because the identity itself is used for authentication.

You store a database password in Key Vault and reference it in your App Service. That is a Key Vault reference. You remove the password entirely and use a managed identity to authenticate directly to the database. That is a managed identity approach.

Must Know for Exams

For exam DP-900 (Microsoft Azure Data Fundamentals), managed identities appear as a security feature for accessing data services. You may see questions about how to securely connect an Azure VM to Azure SQL Database or Azure Storage without using connection strings with passwords. The exam expects you to know that managed identities provide a way to use Azure AD authentication for data access. You should understand the difference between system-assigned and user-assigned at a conceptual level, and know that it eliminates the need to store credentials in code. Typical question formats include scenario-based questions where you choose the best way to authenticate from a given Azure resource to a data service.

For exam AZ-104 (Microsoft Azure Administrator), managed identities are a core topic in the identity and governance section. You will need to know how to enable and assign managed identities for Azure virtual machines and App Services. You should understand how to grant permissions using RBAC roles. The exam may present a scenario where a virtual machine must access a key vault to retrieve a secret, and you must choose the correct configuration using a managed identity. Questions may cover the difference between system-assigned and user-assigned identities, and when to use each. The exam also tests troubleshooting: for example, if a virtual machine cannot obtain a token, you must check the identity assignment or the role assignment.

For exam AZ-400 (Microsoft Azure DevOps Solutions), managed identities are important for secure CI/CD pipelines. You may need to configure a managed identity for an Azure DevOps agent running on a virtual machine so that it can deploy resources securely. The exam could ask how to allow an Azure function in a pipeline to access a storage account without storing keys in the pipeline variables. Understanding how to use managed identities with service principals and Azure AD authentication is key. Questions may also involve managing access for multiple stages in a release pipeline, where a user-assigned identity can be reused across environments.

In all three exams, a common trap is confusing managed identities with service principals. A service principal is created manually and has its own client secret or certificate that you must manage. A managed identity is a type of service principal, but it is created and managed automatically by Azure. Another trap is thinking that managed identities can be used to authenticate to third-party services outside of Azure. In reality, managed identities only work with Azure AD-integrated services, which are primarily Azure services. You will likely see questions that test this limitation.

Simple Meaning

Think of a managed identity as a special badge that Azure gives to one of its own resources, like a virtual machine or a web app. This badge is unique and automatic. When that resource needs to talk to another Azure service, like a storage account or a key vault, it can just show its badge. The other service checks that the badge is valid and then allows access. You never have to create a username and password for this badge. Azure creates it, manages it, and makes sure it stays secret.

In the old days, if you wanted a virtual machine to access a database, you would have to store the database password somewhere in the virtual machine's configuration. That was risky because if someone got into the machine, they could steal the password. With a managed identity, there is no password to steal. The virtual machine just proves who it is using the badge, and Azure handles all the complicated security behind the scenes. This makes your system more secure and simpler to manage.

For example, imagine an Azure function that needs to read data from Azure Blob Storage. Instead of writing the storage account key inside the function's code, you give the function a managed identity. Then you tell the storage account to trust that identity. The function can then request access using its identity, and Azure automatically issues a temporary token that the function uses to connect. The token expires quickly, so even if someone intercepted it, it would be useless after a short time. This is the core idea of managed identities: automated, credential-free authentication for Azure resources.

Full Technical Definition

A managed identity is an Azure feature that provides Azure resources with an automatically managed identity in Azure Active Directory (Azure AD). This identity is a service principal, which is a security principal used by applications and services to access Azure resources. Managed identities eliminate the need for developers to manage credentials, as Azure automatically handles the creation, rotation, and secure storage of the underlying certificates and keys. There are two types: system-assigned and user-assigned.

A system-assigned managed identity is directly tied to a single Azure resource, such as a virtual machine, Azure App Service, or Azure Functions. When you enable it, Azure creates a service principal in Azure AD that is unique to that resource. The lifecycle of this identity is tied to the resource: if you delete the resource, Azure automatically deletes the identity. This type is best for scenarios where a resource has a single, clearly defined set of permissions. For example, a virtual machine that only needs to read from one storage account.

A user-assigned managed identity is created as a standalone Azure resource. You can assign it to multiple Azure resources. Its lifecycle is independent of any single resource. If you delete a virtual machine that uses a user-assigned identity, the identity remains and can be reused by another resource. This is useful when multiple resources need the same set of permissions, such as several web apps that all need access to the same database. You create the identity once, assign permissions once, and then assign the identity to each web app.

Under the hood, managed identities use certificates. Azure automatically provisions a certificate for the service principal. The certificate is rotated every 90 days by default, without any action from you. The resource uses the Azure Instance Metadata Service (IMDS) or the App Service local endpoint to obtain an access token. This token is a JSON Web Token (JWT) that contains claims about the identity and the resource. The token is then presented to the target Azure service, such as Azure Key Vault or Azure Storage, which validates the token with Azure AD. This process is fully automated and does not require any secrets in code or configuration files.

From an IT implementation perspective, you configure managed identities at the resource level. In the Azure portal, you toggle the identity setting to On for system-assigned, or you create a user-assigned identity and then assign it to the resource. Permissions are granted via Azure Role-Based Access Control (RBAC). For example, you would assign the system-assigned identity of a virtual machine the Reader role on a storage account, or the Key Vault Secrets User role on a key vault. The managed identity is then used in code by calling Azure.Identity libraries (like DefaultAzureCredential) which automatically tries to authenticate using the managed identity if it is available. This is the recommended approach for production workloads because it avoids hard-coded secrets and simplifies compliance with security policies.

Real-Life Example

Imagine you work in a large office building with many departments. Each department has its own badge system for employees. In the old system, every time an employee from the IT department needed to access the Finance file room, they had to borrow a Finance department badge. That badge had a password on it, and if the employee lost the badge, the password was compromised. This is like storing database passwords in application code.

Now, the building introduces a new smart-badge system. Every employee gets a unique digital badge that is automatically updated every few weeks. When the IT employee walks to the Finance file room door, they tap their smart badge. The door checks with a central security system, which confirms that the employee has permission to enter. The employee never sees a password, and the badge is always valid because the system updates it automatically. This is a managed identity. The employee is the Azure resource, the smart badge is the managed identity, and the central security system is Azure AD.

In this analogy, the Finance file room is the target Azure service, like a storage account or key vault. The door lock only checks the badge, not a password. If the employee is reassigned to a different department (the resource is deleted), the badge is automatically deactivated. If a new employee joins the IT team, they get a fresh badge without the IT manager having to create a new password. The building (Azure) handles all the complexity of keeping badges up to date and secure. This makes the office safer and much easier to manage because no one has to remember or hide passwords anymore.

Why This Term Matters

In real-world IT, managing secrets like passwords, API keys, and connection strings is one of the biggest security challenges. Developers often store these secrets in configuration files, environment variables, or even in source code. This creates a huge risk: if a repository is compromised, or if someone gains access to a server, they can steal credentials and move laterally across the cloud environment. Managed identities completely remove this attack surface because there are no secrets to steal.

For IT operations teams, managed identities simplify compliance and auditing. Since the identity is managed by Azure, you can easily see which resource has which permissions. You can use Azure Policy to enforce that certain resources must use managed identities, ensuring that no resource uses static credentials. This is a key requirement for many security frameworks like SOC 2, ISO 27001, and the Azure Well-Architected Framework.

Managed identities also reduce operational overhead. In traditional approaches, when a certificate or password expires, someone has to manually rotate it. If they forget, systems break. Azure automatically rotates the certificates behind managed identities every 90 days, so you never have an outage due to expired credentials. This is especially important for production systems that must be highly available.

managed identities enable a zero-trust security model. Every access request must be authenticated and authorized, even from inside the network. By using managed identities, you are ensuring that every service-to-service call is authenticated using a strong, rotating credential. This is a fundamental shift from the old perimeter-based security model, where everything inside the firewall was trusted by default. For any organization moving to the cloud, adopting managed identities is a critical step toward a secure and modern authentication strategy.

How It Appears in Exam Questions

In scenario-based questions, you are often given a description of an application running on an Azure virtual machine that needs to read data from Azure Blob Storage. The question will ask you to choose the most secure way to configure access. The correct answer will involve enabling a system-assigned managed identity on the VM and assigning the Storage Blob Data Reader role to that identity. Incorrect answers might involve using storage account keys, connection strings with passwords, or creating a service principal with a client secret.

Another common pattern involves configuration. For example, the question might describe a developer who has written code that uses a connection string to access Azure SQL Database. The requirement is to remove the connection string from the code and use a more secure method. You would need to enable a managed identity for the App Service and then configure Azure SQL Database to support Azure AD authentication, granting the managed identity the necessary roles (like db_datareader). The exam may also ask about the steps to perform this in the Azure portal or using PowerShell.

Troubleshooting questions are also common. For instance, an Azure function with a user-assigned managed identity cannot read a secret from Key Vault. The question provides several potential causes, and you must identify the correct one. The likely cause is that the role assignment on the key vault is missing, or the user-assigned identity is not correctly assigned to the function app. The wrong answer might suggest that the function needs a connection string, or that the identity needs to be regenerated.

You may also see questions that compare different authentication methods. For example, the question might ask: Which of the following is a benefit of using a managed identity over a service principal with a client secret? The answer is that a managed identity has automatic credential rotation and no need to store secrets. Another question could ask: In which scenario would you choose a user-assigned managed identity over a system-assigned one? The answer is when you need the same identity to be used by multiple resources.

Finally, some questions test your understanding of the token acquisition process. For example, how does an Azure VM obtain a token for its managed identity? The correct answer is through the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254. The wrong answer might involve a local configuration file or a PowerShell module. These questions require you to know the underlying mechanism, not just the concept.

Practise Managed identity Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Your company has an Azure virtual machine (VM) that runs a custom application. This application needs to access an Azure Storage account to read daily sales reports. Currently, the application has the storage account key hardcoded in its configuration file. Your security team has mandated that no secrets should be stored on the VM, and all access must use Azure AD authentication.

Your task is to reconfigure the setup to use a managed identity. First, you go to the VM in the Azure portal and enable a system-assigned managed identity. This creates a service principal for the VM in Azure AD. Next, you navigate to the Storage account and go to Access Control (IAM). You add a role assignment, selecting the Storage Blob Data Reader role, and then you search for the VM's name in the list of identities. You assign the role to the VM's managed identity.

Now, you update the application code. Instead of using the storage account key, you use the Azure Identity SDK. The code calls the DefaultAzureCredential class, which automatically detects that the VM has a managed identity and requests a token from the Azure Instance Metadata Service. The token is then used to authenticate to the storage account. The application continues to work, but now there is no secret stored anywhere. If the VM is ever compromised, the attacker cannot steal a static password. The identity is tied to the VM, so if the VM is deleted, the identity goes away. This setup is more secure and meets your company's security policy.

Common Mistakes

Thinking a managed identity can be used to authenticate to any external service that supports OAuth.

A managed identity only works with Azure services that are integrated with Azure AD. It cannot be used to authenticate to external APIs like a third-party SaaS application or an on-premises service unless that service is configured to trust Azure AD tokens, which is rare.

Use a service principal with client credentials or OAuth client assertions for external services. Managed identities are specifically designed for accessing Azure resources.

Assuming a system-assigned managed identity can be shared across multiple resources.

A system-assigned managed identity is tied to a single resource. It is created and deleted with that resource. You cannot assign it to another virtual machine or app service.

If multiple resources need the same permissions, create a user-assigned managed identity and assign it to all of them. This way, you manage permissions in one place.

Believing that enabling a managed identity automatically grants permissions to all Azure services.

Enabling a managed identity only creates the identity. It does not grant any permissions by itself. You must explicitly assign RBAC roles to that identity for each target service.

After enabling the managed identity, go to the target resource (e.g., storage account, key vault) and add a role assignment that includes the managed identity as the member.

Confusing managed identity with a service principal that is created manually in Azure AD.

A manually created service principal requires you to manage its credentials (client secret or certificate). A managed identity is a special type of service principal where Azure manages the credentials automatically.

Use managed identities for Azure resources whenever possible. Only use manually created service principals for scenarios like third-party authentication or legacy applications that cannot support managed identities.

Exam Trap — Don't Get Fooled

{"trap":"The exam may present a scenario where an application on an Azure VM needs to access an on-premises SQL Server. The answer choices include using a managed identity.","why_learners_choose_it":"Learners see that managed identities are secure and automatic, so they assume it can be used for any database, including on-premises."

,"how_to_avoid_it":"Remember that managed identities only work with Azure AD. An on-premises SQL Server does not support Azure AD authentication unless it is Azure Arc-enabled and configured appropriately. For on-premises resources, you would typically use a service principal with a client secret or a certificate, or use a hybrid identity solution like Azure AD Application Proxy."

Step-by-Step Breakdown

1

Enable Managed Identity

For a system-assigned identity, you go to the Azure resource (e.g., VM, App Service) and set the Identity toggle to On. Azure automatically creates a service principal in Azure AD. For a user-assigned identity, you first create the identity as a separate resource, then assign it to the target resource.

2

Grant Permissions via RBAC

Navigate to the target Azure service (e.g., storage account, key vault). Go to Access Control (IAM) and add a role assignment. Select the appropriate role (e.g., Storage Blob Data Reader) and choose the managed identity as the member. This step defines what the identity is allowed to do.

3

Configure Code to Use DefaultAzureCredential

In your application code, use the Azure Identity SDK (e.g., DefaultAzureCredential for .NET, Python, Java, etc.). This class automatically tries multiple authentication methods, including managed identity for Azure resources. It will detect the managed identity and request a token from the local endpoint (IMDS for VMs, App Service endpoint for web apps).

4

Token Acquisition

The code calls DefaultAzureCredential, which sends a request to the Azure Instance Metadata Service (IMDS) at 169.254.169.254 (for VMs) or the local environment endpoint (for App Services). Azure returns a JWT access token. This token is scoped to the target resource (e.g., https://storage.azure.com) and has a short lifetime (typically 1 hour).

5

Authenticate to Target Service

The code uses the token to make an authenticated request to the target Azure service. For example, it passes the token in the Authorization header of an HTTP request to Azure Storage. The target service validates the token with Azure AD and grants access if the token is valid and the identity has the required permissions via RBAC.

6

Automatic Credential Rotation

Azure automatically manages the underlying certificate for the service principal. The certificate is rotated approximately every 90 days. The application does not need to be restarted or reconfigured. The token acquisition process continues to work because the IMDS endpoint always provides the current certificate.

Practical Mini-Lesson

In practice, using a managed identity requires careful planning around permissions and resource types. The first step is always to understand whether the target service supports managed identities. Most Azure services do, including Azure Storage, Azure SQL Database, Azure Key Vault, Azure Cosmos DB, Azure Service Bus, and Azure Event Hubs. However, some services like Azure DevOps (when not using a hosted agent) or Azure Cognitive Search may have limitations.

When configuring a managed identity, you must choose between system-assigned and user-assigned. A system-assigned identity is simpler because it is automatically created and deleted with the resource. It is ideal when a resource has a one-to-one relationship with permissions. For example, a single virtual machine that only needs to read from one storage account. However, if you later need to add another virtual machine that needs the same access, you have to grant permissions separately for each system-assigned identity. This can become a management burden.

A user-assigned identity is a better choice for environments with many resources that share the same permissions. For instance, a team might have ten Azure Functions that all need to read from the same Azure SQL Database. You create one user-assigned identity, grant it the necessary database roles once, and then assign that identity to all ten Functions. This centralizes permission management. User-assigned identities can be used across different regions, which is useful for disaster recovery scenarios where you want to promote a secondary resource to use the same identity.

A common practical issue is that managed identities require the code to be written to use the Azure Identity SDK. If you are using legacy code that expects a connection string, you will need to refactor. In some cases, you can use Azure AD integration features that are built into the service itself. For example, Azure SQL Database allows you to create a contained database user mapped to a managed identity. Then, even if your application uses SQL Server Management Objects (SMO), you can authenticate using the managed identity via the connection string attribute Authentication=Active Directory Managed Identity.

Another important consideration is that managed identities do not work for resources outside of Azure, such as on-premises servers or other clouds. For those scenarios, you must fall back to other methods like service principals or managed service identities (MSI) with federation. Also, be aware that not all Azure services support user-assigned managed identities. For example, Azure VMs support both, but some older services may only support system-assigned. Always check the documentation for the specific service.

Finally, monitoring and troubleshooting are critical. If a managed identity stops working, check the role assignments to ensure they have not been removed. Use Azure Monitor to check the sign-in logs for the service principal. You can also test token acquisition from a VM by logging into it and running a PowerShell command or using the Azure CLI to get a token using the managed identity. The command az account get-access-token --resource https://storage.azure.com will show if the identity can successfully obtain a token. If it fails, the issue is often that the identity is not assigned or the resource is not enabled.

Memory Tip

Managed identity = No secret handshake, just show your badge.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I use a managed identity to authenticate a user, like a person logging into a web app?

No, managed identities are designed for applications and services, not for individual users. They are used for server-to-server or service-to-service authentication. For users, you would use user sign-in flows with Azure AD.

Do managed identities work for on-premises resources?

No, managed identities are an Azure feature and only work for Azure resources. For on-premises resources, you would need to use a service principal or Azure AD Application Proxy.

What happens if I delete a resource that has a system-assigned managed identity?

The managed identity is automatically deleted along with the resource. All role assignments that referenced that identity will become invalid. You should clean up any dependencies before deletion.

Can I see the certificate used by a managed identity?

No, Azure does not expose the certificate to you. It is managed entirely in the background. This is by design to prevent you from accidentally leaking the secret.

How long is a managed identity token valid?

Typically, tokens are valid for 8 hours by default, but this can vary. The token is a JWT token issued by Azure AD. Your code should be designed to handle token expiration and request a new one.

Can I assign a user-assigned managed identity to a resource in a different region?

Yes, user-assigned managed identities are regional resources, but they can be assigned to resources in any region. For example, you can create a user-assigned identity in East US and assign it to a VM in West Europe.

Summary

Managed identity is a fundamental security feature in Azure that allows resources, such as virtual machines and app services, to authenticate to other Azure services without handling any secrets. It works by creating an automatic service principal in Azure AD that is managed by Azure, including credential rotation. This eliminates the risk of leaked passwords or connection strings. There are two types: system-assigned, which is tied to a single resource, and user-assigned, which can be shared across multiple resources.

For IT professionals, adopting managed identities is a key step toward a secure, zero-trust architecture. It reduces operational overhead, simplifies compliance, and follows security best practices. In exams like DP-900, AZ-104, and AZ-400, you will be tested on your ability to choose between authentication methods, configure managed identities, and understand their limitations.

The key exam takeaway is that managed identities are the recommended and most secure way for Azure resources to access other Azure resources. Always look for scenarios where you can replace connection strings or client secrets with a managed identity. Remember that they do not work for external services, and that permission is granted separately through RBAC. Mastering this concept will help you design more secure cloud solutions and succeed in your certification exams.