• 3 min read

Azure AD Managed Service Identity updates

Azure AD Managed Service Identity has been in preview for several months now. We wanted to give you an update on what is new with the service.

This post is authored by Arturo Lucatero, Program Manager, Azure Identity Services.

Azure AD Managed Service Identity has been in preview for several months now, so we wanted to give you an update on what has been happening.

Two types of managed identities

There are now two types of managed identities:

  1. System Assigned: This is the type of managed identity we introduced back in September. It has a 1:1 relation with an Azure resource (e.g., VM) and shares the same life-cycle. When you delete the resource, we automatically clean up the identity.

  1. User Assigned: This new type of managed identity is a standalone Azure resource with its own life-cycle. It enables you to have an identity which can be used by one or more Azure resources. A few notes worth mentioning:

    • As of today, user assigned managed identities can only be used on Virtual Machines and Virtual Machine Scale Sets. Other resource types are onboarding soon.

    • The API to assign user assigned managed identities to a resource is going change in the near future. Today, the assigned identities are listed in an array property in Azure Resource Manager. This will be changing to be a dictionary to support PATCH semantics.

    • You can’t create and manage user assigned identities in the portal yet. We are working on getting that ready for preview, very soon, stay tuned!

Azure AD Managed Service Identity on Azure Friday

Recently, I visited Azure Friday and talked about Azure AD Managed Service Identity with Donovan Brown. Check it out below:

Endpoint update for token requests on Virtual Machines and Virtual Machine Scale Sets

We've changed the endpoint for managed identity token requests on Virtual Machines and Virtual Machine Scale Sets:

For VMs and VM Scale Sets you now request tokens via the Azure Instance Metadata Service (IMDS). IMDS is a REST endpoint only accessible from within the VM, at a well-known non-routable IP address.

Sample HTTP calls for requesting tokens within a VM:

Via IMDS GET 'https://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true
Via VM extension GET 'https://localhost:50342/oauth2/token?resource=https://management.azure.com/' HTTP/1.1 Metadata: true

Using IMDS for token requests has several benefits:

  • All Windows and Linux OS’s supported on Azure IaaS can use managed identities.

  • Credentials used under the covers by managed identity are no longer hosted on the VM. They are now hosted and secured on the host of the Azure VM.

  • Enabling managed identities on a VM is a simpler and faster. The VM extension is no longer needed.

To learn more about Azure's Instance Metadata Service, see: Azure Instance Metadata service docs.

Virtual Machine extension deprecation

Considering the benefits of using IMDS for managed identity token requests, we are deprecating the existing VM extension. While the extension has been incredibly helpful during the preview phase of managed identities, it has certain limitations, and we have decided not to include it in our general availability plan. Some of the limitations include:

  • Only certain Linux distributions are supported. We would need to develop, modify and test the extension for every distro we want to support.

  • With the VM extension, the credentials used to request tokens are stored on the VM. An attacker who successfully breaches a VM can exfiltrate the credentials.

  • Deploying VMs with managed identities has a performance impact since the VM extension needs to be provisioned.

  • The VM extension can only support having 32 user assigned managed identities per VM. Via IMDS we can support a significantly higher limit.

We plan to support the VM extension in its preview form until January 2019. At the end of January 2019, we will stop supporting the VM extension, and the IMDS endpoint will be the only mechanism to request tokens.

Azure Storage support

Azure Storage has announced a preview of Azure AD authentication and RBAC integration. You can now use a managed identity to authenticate to Azure storage directly. To learn more, see: Tutorial: Use a Linux VM's Managed Identity to access Azure Storage.

Support for build and release agents in VSTS

Visual Studio Team Services now supports Managed Identity based authentication for build and release agents. To learn more, see: Streamline authentication from agent VMs in Azure to Azure Resource Manager.

App Service and Azure Functions support

The integration of system-assigned managed identities with App Services and Azure Functions is now Generally Available. To learn more, see: Announcing General Availability and Sovereign Cloud Support of Managed Service Identity for App Service and Azure Functions.

We're listening

Thank you for reading this far! The team is hard at work on the finishing touches of managed identities for VMs and VM Scale sets.

We would appreciate your feedback on Azure AD Managed Service Identity via this 2-minute survey. Your feedback is incredibly helpful for us to know what you like and where we can improve.

As always, we’re listening on Stack Overflow, Azure feedback, and on GitHub for issues in our documentation.