This chapter covers Managed Identities and Service Principals, two core identity constructs in Azure for authentication without human intervention. On the AZ-500 exam, approximately 15-20% of questions touch on identity and access management, with a significant subset focusing on the differences between these two mechanisms. Understanding when to use each, their security implications, and how they interact with Azure AD is critical for passing the exam and for real-world Azure security engineering.
Jump to a section
Think of an Azure resource as an employee in a company. A Managed Identity is like a company-issued badge that automatically grants access to specific doors (Azure resources) based on the employee's role. The badge is issued by the company (Azure AD) and is tied to the employee's identity; if the employee leaves, the badge is deactivated. No one needs to remember a password or carry a separate card. In contrast, a Service Principal is like a passport: it's a separate identity document that can be used by applications or services outside the company. You must explicitly create the passport, set its expiration date, and manage its renewal. The passport can be used by multiple applications (like a shared credential), but if it's stolen, anyone can impersonate the holder. The badge (Managed Identity) is simpler and more secure because it's automatically rotated and tied to a specific resource. The passport (Service Principal) is more flexible but requires careful management. In Azure, Managed Identities are for Azure resources only, while Service Principals can be used by external applications. The exam tests your understanding of when to use each: Managed Identities for Azure VMs, App Services, or Functions; Service Principals for on-premises apps or cross-tenant scenarios.
What Are Managed Identities and Service Principals?
In Azure, applications and services often need to authenticate to other Azure resources without using human credentials. Two primary mechanisms exist: Managed Identities and Service Principals. Both are Azure AD identities, but they differ in lifecycle, management overhead, and scope.
A Managed Identity is an Azure AD identity that is automatically managed by Azure and tied to a specific Azure resource (e.g., a virtual machine, App Service, or Azure Function). It cannot be created independently; it is enabled on a resource. Azure automatically rotates the credentials (certificates) every 46 days. There are two types: System-assigned and User-assigned. A system-assigned identity is tied to the lifecycle of the resource—when the resource is deleted, the identity is deleted. A user-assigned identity is a standalone resource that can be assigned to multiple Azure resources, and its lifecycle is independent.
A Service Principal is a manual identity created in Azure AD for an application, service, or automation tool. It is essentially an application instance in Azure AD with a client ID and either a client secret (password) or certificate. The lifecycle is managed by the administrator; secrets must be rotated, and certificates must be renewed. Service Principals can be used by applications running anywhere—on-premises, in other clouds, or in Azure—as long as they can communicate with Azure AD.
How They Work Internally
Managed Identity Authentication Flow:
The Azure Resource Provider (e.g., Azure VM) requests a token from the Azure Instance Metadata Service (IMDS) endpoint at http://169.254.169.254/metadata/identity/oauth2/token. This is a non-routable IP address accessible only from within the VM.
IMDS validates that the request comes from a resource with a managed identity enabled. It then contacts the Azure AD endpoint on behalf of the resource.
Azure AD issues a JWT (JSON Web Token) with claims including aud (audience), iss (issuer), appid (client ID of the managed identity), and tid (tenant ID). The token is valid for 8 hours by default.
The application uses this token to authenticate to Azure resources (e.g., Key Vault, Storage). The resource validates the token using Azure AD public keys.
Service Principal Authentication Flow:
The application presents its client ID and client secret (or certificate thumbprint) to the Azure AD token endpoint (https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token).
Azure AD validates the credentials and issues a JWT token. The token includes the same claims but the appid is the Service Principal's client ID.
The application uses the token to access resources. The resource validates the token similarly.
Key difference: Managed Identities use a certificate that is automatically rotated by Azure, while Service Principals use a secret or certificate that must be managed manually.
Key Components, Values, Defaults, and Timers
Managed Identity Default Token Lifetime: 8 hours (configurable up to 24 hours via Azure AD policy).
Certificate Rotation: Azure rotates the certificate for system-assigned managed identities every 46 days. User-assigned identities also rotate automatically.
Service Principal Secret Max Lifetime: Azure AD allows a maximum of 2 years for a client secret, but Microsoft recommends 6 months or less. Certificates can have longer lifetimes.
Number of Managed Identities per Resource: A resource can have one system-assigned identity and multiple user-assigned identities (up to 20 per resource type).
Number of Service Principals: No hard limit, but Azure AD has a default limit of 256 applications per tenant (can be increased).
Configuration and Verification Commands
Azure CLI - Managed Identity:
# Enable system-assigned managed identity on a VM
az vm identity assign --resource-group myRG --name myVM
# Create a user-assigned managed identity
az identity create --resource-group myRG --name myUserIdentity
# Assign user-assigned identity to a VM
az vm identity assign --resource-group myRG --name myVM --identities /subscriptions/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserIdentity
# Get token for testing (from within the VM)
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net' -H Metadata:trueAzure CLI - Service Principal:
# Create a service principal with a password
az ad sp create-for-rbac --name myServicePrincipal --role Contributor --scopes /subscriptions/...
# Create a service principal with a certificate
az ad sp create-for-rbac --name myServicePrincipal --certificate myCert.pem
# List service principals
az ad sp list --show-mine
# Reset credentials
az ad sp credential reset --name myServicePrincipalPowerShell - Managed Identity:
# Enable system-assigned identity
Update-AzVM -ResourceGroupName 'myRG' -VMName 'myVM' -IdentityType SystemAssigned
# Create user-assigned identity
New-AzUserAssignedIdentity -ResourceGroupName 'myRG' -Name 'myUserIdentity'PowerShell - Service Principal:
# Create service principal
$sp = New-AzADServicePrincipal -DisplayName 'myServicePrincipal'
# Get password from $sp.Secret (automatically generated)How They Interact with Related Technologies
Azure RBAC: Both Managed Identities and Service Principals are security principals that can be assigned Azure RBAC roles. For example, a managed identity can be given 'Reader' role on a storage account, and that VM can read blobs without credentials.
Azure Key Vault: Managed Identities are commonly used to access Key Vault secrets. The VM's managed identity is granted access via access policies, and the application retrieves tokens from IMDS.
Azure AD Authentication: Service Principals are the identity for Azure AD applications. They can be granted permissions to Graph API or other Microsoft APIs.
Conditional Access: Service Principals can be targeted by Conditional Access policies (e.g., require MFA for certain apps). Managed Identities cannot be directly targeted because they are not user-like principals.
Security Considerations
Managed Identity: Since credentials are automatically rotated and never exposed to developers, they are more secure. The token is obtained from IMDS, which is only accessible from within the resource, reducing the risk of credential theft. However, if an attacker gains code execution on the VM, they can call IMDS and get tokens.
Service Principal: Secrets can be leaked in code, configuration files, or CI/CD pipelines. If a secret is compromised, an attacker can authenticate as that service principal until the secret is rotated. Using certificates instead of secrets improves security, but certificate management adds complexity.
Exam-Relevant Details
When to use Managed Identity: For Azure resources that need to authenticate to other Azure resources. Example: A VM that needs to read secrets from Key Vault.
When to use Service Principal: For applications running outside Azure (e.g., on-premises, other clouds) or for applications that need to authenticate to Azure AD (e.g., Microsoft Graph). Also used for CI/CD pipelines (Azure DevOps, GitHub Actions) that need to deploy to Azure.
System-assigned vs User-assigned: System-assigned is simpler and tied to resource lifecycle. User-assigned allows reuse across resources and independent lifecycle. Exam questions often test this distinction.
Token endpoint: Managed Identity uses http://169.254.169.254/metadata/identity/oauth2/token (IMDS). Service Principal uses https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token.
Role assignment: Both can be assigned roles. For Managed Identity, you assign roles to the identity (e.g., az role assignment create --assignee <principal-id> --role Reader --scope ...). For Service Principal, you use the same command with the service principal's object ID.
Common Pitfalls
Forgetting to assign RBAC role: Even with a managed identity, you must grant it permissions to the target resource. A common mistake is enabling the identity but not assigning a role.
Using wrong endpoint: For Managed Identity, the endpoint is IMDS; for Service Principal, it's Azure AD. Mixing them up causes authentication failures.
Secret expiration: Service Principal secrets expire; if not rotated, applications fail. Managed identities have no such issue.
Cross-tenant access: Service Principals can be used for cross-tenant scenarios (e.g., guest users). Managed Identities are tenant-scoped and cannot be used across tenants.
Summary of Exam Objectives (1.3)
Objective 1.3: "Manage Azure AD identity protection" includes understanding Managed Identities and Service Principals as part of securing identities. The exam expects you to:
Differentiate between system-assigned and user-assigned managed identities.
Know when to use a managed identity vs. a service principal.
Understand the authentication flow for each.
Be able to configure them using Azure CLI or PowerShell.
Recognize security best practices (e.g., use managed identities over service principals when possible).
Enable Managed Identity on Resource
When you enable a system-assigned managed identity on an Azure VM via portal or CLI, Azure Resource Manager (ARM) communicates with Azure AD to create a service principal object for that VM. This principal is stored in the tenant and linked to the VM's resource ID. The VM's metadata is updated to include the identity. For user-assigned, you first create the identity resource, then assign it to the VM. The assignment updates the VM's IMDS configuration to include the identity's client ID and certificate.
Application Requests Token from IMDS
The application running on the VM makes an HTTP GET request to the IMDS endpoint: `http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net`. The request must include the header `Metadata: true`. IMDS is a local service that runs on the Azure host. It checks that the request comes from a VM with a managed identity and returns a token. The token is a JWT signed by Azure AD.
IMDS Contacts Azure AD for Token
IMDS uses the VM's identity certificate (stored in the host's certificate store) to authenticate to Azure AD. It sends a request to `https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token` with the resource parameter. Azure AD validates the certificate and issues a token. The token's `appid` claim is the managed identity's client ID. The token is returned to IMDS, which forwards it to the application. The entire process takes milliseconds.
Application Uses Token to Access Resource
The application includes the token in the `Authorization` header as a Bearer token when making requests to the target resource (e.g., Key Vault REST API). The resource (e.g., Key Vault) validates the token by checking its signature using Azure AD's public keys, verifying the `aud` claim matches its own identifier, and checking the `iss` claim matches the tenant. If valid, the request is processed. The token is cached by the application until it expires (8 hours default).
Service Principal Authentication Flow
For a service principal, the application (e.g., a CI/CD pipeline) sends a POST request to Azure AD token endpoint with the client ID and client secret (or certificate). The request includes `grant_type=client_credentials`. Azure AD validates the credentials and issues a token. The token is used similarly. The application must manage the secret lifecycle. If the secret expires, authentication fails until a new secret is created and deployed.
Scenario 1: VM Accessing Key Vault
A common enterprise scenario is a virtual machine that needs to retrieve a database connection string from Azure Key Vault. Using a Managed Identity, the developer enables system-assigned identity on the VM, then grants that identity 'Get' and 'List' permissions on the Key Vault access policy. The application code calls the IMDS endpoint to get a token and then uses it to fetch the secret. This eliminates the need to store credentials in code or configuration files. In production, you might have hundreds of VMs, each with its own identity. Performance is excellent because IMDS is local. A common misconfiguration is forgetting to assign the RBAC role or access policy—without it, the token is valid but the request is denied. Another issue is running the code outside the VM (e.g., during development) where IMDS is not available; developers often switch to a service principal for local testing.
Scenario 2: CI/CD Pipeline Deploying to Azure
Azure DevOps pipelines often use a Service Principal to authenticate to Azure for deployments. The service principal is created with 'Contributor' role on a resource group. The pipeline uses the client ID and secret (stored as a secret variable in Azure DevOps) to log in via az login --service-principal -u <client-id> -p <secret> --tenant <tenant>. This works well but has security risks: if the secret is exposed in logs, an attacker can deploy resources. Best practice is to use a certificate instead of a secret, or use Azure AD Workload Identity Federation (which uses OpenID Connect tokens from the pipeline provider). The exam may ask about this: for non-Azure workloads, service principals are necessary.
Scenario 3: Multi-tier Application with User-assigned Identity
A microservices application running on Azure Kubernetes Service (AKS) might use a user-assigned managed identity shared across multiple pods. Each pod can request tokens for different resources (e.g., one pod accesses storage, another accesses Key Vault). The user-assigned identity is assigned to the AKS node pool or to individual pods via Azure AD Pod Identity (now replaced by Workload Identity). This allows the same identity to be used across services, simplifying RBAC management. However, if the identity is accidentally deleted, all pods lose access. The exam tests that user-assigned identities can be assigned to multiple resources, whereas system-assigned is per-resource.
What AZ-500 Tests (Objective 1.3)
The AZ-500 exam under 'Manage Azure AD identity protection' includes questions on Managed Identities and Service Principals. Specifically, you must:
Identify when to use a system-assigned vs user-assigned managed identity.
Determine whether a managed identity or service principal is appropriate for a given scenario.
Understand the authentication endpoints and token lifetimes.
Recognize security best practices (e.g., prefer managed identities, rotate service principal secrets).
Top 3 Wrong Answers and Why Candidates Choose Them
1. Wrong: 'Service principals are more secure because they can use certificates.' - Why: Candidates think certificates are always better. But managed identities use certificates too, and Azure automatically rotates them, making them more secure because no human manages the secret.
2. Wrong: 'A system-assigned managed identity can be assigned to multiple VMs.' - Why: Candidates confuse system-assigned with user-assigned. System-assigned is tied to one resource; user-assigned can be assigned to multiple.
3. Wrong: 'Managed identities can be used for on-premises applications.' - Why: Candidates think managed identities are flexible. But they are only available to Azure resources. On-premises apps must use service principals.
Specific Numbers and Terms That Appear on the Exam
Token lifetime: 8 hours (default).
IMDS endpoint: http://169.254.169.254/metadata/identity/oauth2/token.
Header required: Metadata: true.
Maximum secret lifetime: 2 years (but best practice is 6 months).
Number of user-assigned identities per VM: up to 20.
Edge Cases and Exceptions
Cross-tenant scenario: Managed identities cannot be used across tenants. If an app in Tenant A needs to access resources in Tenant B, you must use a service principal (or B2B collaboration).
Azure AD App Registration vs Service Principal: An App Registration is the application definition; a Service Principal is the instance in a tenant. Exam questions may ask about the difference.
Managed Identity for Azure Arc: Azure Arc-enabled servers can also have managed identities, but they use a different token endpoint (local agent).
How to Eliminate Wrong Answers
If the scenario involves an Azure resource (VM, App Service, Function), the answer is likely a managed identity.
If the scenario involves an external application (on-premises, other cloud, CI/CD pipeline), the answer is a service principal.
If the question mentions 'automatic credential rotation' or 'no secret management', choose managed identity.
If the question mentions 'cross-tenant' or 'external identity', choose service principal.
For 'system-assigned vs user-assigned', look for keywords: 'single resource' or 'lifecycle tied to resource' = system-assigned; 'shared across resources' or 'independent lifecycle' = user-assigned.
Managed identities are the preferred authentication method for Azure resources because they eliminate credential management.
System-assigned managed identities are tied to a single resource and are deleted when the resource is deleted.
User-assigned managed identities are standalone resources that can be assigned to multiple Azure resources.
Service principals are necessary for applications running outside Azure or for cross-tenant scenarios.
The IMDS endpoint for managed identity tokens is http://169.254.169.254/metadata/identity/oauth2/token with header Metadata: true.
Default token lifetime for managed identities is 8 hours, configurable up to 24 hours.
Service principal secrets should be rotated regularly; maximum allowed lifetime is 2 years.
Both managed identities and service principals can be assigned Azure RBAC roles to grant permissions.
These come up on the exam all the time. Here's how to tell them apart.
Managed Identity
Automatically managed by Azure; credentials rotated every 46 days.
Tied to the lifecycle of an Azure resource (system-assigned) or independent (user-assigned).
Can only be used by Azure resources (VMs, App Services, Functions, etc.).
No secret management; tokens obtained from IMDS endpoint.
Cannot be used for cross-tenant authentication.
Service Principal
Manually created and managed; secrets/certificates must be rotated manually.
Independent lifecycle; exists until deleted.
Can be used by any application (Azure, on-premises, other clouds).
Requires storing and managing client secrets or certificates.
Can be used for cross-tenant authentication (e.g., guest scenarios).
Mistake
Managed identities and service principals are exactly the same thing.
Correct
They are both Azure AD identities, but managed identities are automatically managed by Azure (credential rotation, lifecycle tied to resource) and can only be used by Azure resources. Service principals require manual management and can be used by any application.
Mistake
A system-assigned managed identity can be assigned to multiple Azure resources.
Correct
A system-assigned identity is tied to a single resource. To share an identity across multiple resources, use a user-assigned managed identity.
Mistake
Service principals are more secure because they can use certificates instead of passwords.
Correct
Managed identities also use certificates, and Azure automatically rotates them. Service principal certificates require manual renewal, which can be forgotten, leading to outages. Managed identities are generally more secure due to automatic rotation and no secret exposure.
Mistake
Managed identities can be used by applications running on-premises or in other clouds.
Correct
Managed identities are only available for Azure resources (VMs, App Services, etc.). For non-Azure workloads, you must use a service principal.
Mistake
You need to store the managed identity's client secret in your application code.
Correct
Managed identities have no client secret exposed to the user. The application obtains a token from the IMDS endpoint without any stored credentials. The secret is managed entirely by Azure.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, managed identities can only obtain tokens for Azure resources (e.g., Azure Key Vault, Azure Storage, Azure SQL). They cannot authenticate to on-premises services directly. For on-premises resources, you would typically use a service principal or other authentication mechanisms like Windows Integrated Authentication.
A system-assigned managed identity is created directly on an Azure resource and has the same lifecycle as that resource. When the resource is deleted, the identity is automatically deleted. A user-assigned managed identity is created as a separate Azure resource and can be assigned to multiple Azure resources. Its lifecycle is independent; you must delete it manually. User-assigned identities are useful when you want the same identity across multiple resources.
You grant access by assigning an Azure RBAC role to the managed identity. For example, to allow a VM to read blobs from a storage account, you would use a command like: `az role assignment create --assignee <managed-identity-principal-id> --role 'Storage Blob Data Reader' --scope /subscriptions/.../resourceGroups/myRG/providers/Microsoft.Storage/storageAccounts/myStorage`. You can find the principal ID from the identity's properties.
Azure DevOps pipelines run outside Azure (Microsoft-hosted agents) or on self-hosted agents that may be Azure VMs. For Microsoft-hosted agents, you cannot use a managed identity because they are not Azure resources. Instead, use a service principal. For self-hosted agents running on Azure VMs, you can use the VM's managed identity to authenticate to Azure, but the pipeline itself still needs a service principal for Azure DevOps API calls.
The application can request a new token from the IMDS endpoint at any time. The token is cached by the application and refreshed automatically by most Azure SDKs. If the token expires and the application tries to use it, the resource will return a 401 Unauthorized error. The application should handle this by retrying with a new token.
No, they are fundamentally different. A service principal is an application registration in Azure AD with manual credential management. A managed identity is a special type of service principal that is automatically managed. You cannot convert one to the other. If you currently use a service principal, you can migrate to a managed identity by creating a new identity and updating your application code.
An Azure VM can have one system-assigned managed identity and up to 20 user-assigned managed identities. This limit is per VM and applies to other resource types as well (e.g., App Service can have one system-assigned and up to 20 user-assigned).
You've just covered Managed Identities vs Service Principals — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?