Welcome to "my-azure"

Simply Stay Ahead !

New- Keep credentials out of code: Introducing Azure AD Managed Service Identity

See new link here..

Managed Service Identity (MSI) for Azure resources

https://docs.microsoft.com/en-us/azure/active-directory/msi-overview

Managed Service Identity (MSI) is currently a preview feature of Azure Active Directory and is for evaluation purposes only. MSI is deploying to regions globally and may take time to appear in your region. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

A common challenge when building cloud applications is how to manage the credentials that need to be in your code for authenticating to cloud services. Keeping these credentials secure is an important task. Ideally, they never appear on developer workstations or get checked into source control. Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.+

How does it work?

When you enable Managed Service Identity on an Azure service, Azure automatically creates an identity for the service instance in the Azure AD tenant used by your Azure subscription. Under the covers, Azure provisions the credentials for the identity onto the service instance. Your code can then make a local request to get access tokens for services that support Azure AD authentication. Azure takes care of rolling the credentials used by the service instance. If the service instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.+

Here’s an example of how Managed Service Identity works with Azure Virtual Machines.+

Virtual Machine MSI example+

    1. Azure Resource Manager receives a message to enable MSI on a VM.
    2. Azure Resource Manager creates a Service Principal in Azure AD to represent the identity of the VM. The Service Principal is created in the Azure AD tenant that is trusted by this subscription.
    3. Azure Resource Manager configures the Service Principal details in the MSI VM Extension of the VM. This step includes configuring client ID and certificate used by the extension to get access tokens from Azure AD.
    4. Now that the Service Principal identity of the VM is known, it can be granted access to Azure resources. For example, if your code needs to call Azure Resource Manager, then you would assign the VM’s Service Principal the appropriate role using Role-Based Access Control (RBAC) in Azure AD. If your code needs to call Key Vault, then you would grant your code access to the specific secret or key in Key Vault.
    5. Your code running on the VM requests a token from a local endpoint that is hosted by the MSI VM extension: http://localhost:50342/oauth2/token. The resource parameter specifies the service to which the token will be sent. For example, if you want your code to authenticate to Azure Resource Manager, you would use resource=https://management.azure.com/.
    6. The MSI VM Extension uses its configured client ID and certificate to request an access token from Azure AD. Azure AD returns a JSON Web Token (JWT) access token.
    7. Your code sends the access token on a call to a service that supports Azure AD authentication.

+

Each Azure service that supports Managed Service Identity will have its own method for your code to obtain an access token. Check out the tutorials for each service to find out the specific method to get a token.+

Which Azure services support Managed Service Identity?

Azure services that support Managed Service Identity can use MSI to authenticate to services that support Azure AD authentication. We are in the process of integrating MSI and Azure AD authentication across Azure. Check back often for updates.+

Azure services that support Managed Service Identity

The following Azure services support Managed Service Identity.+

Service Status Date
Azure Virtual Machines Preview September 2017
Azure App Service Preview September 2017
Azure Functions Preview September 2017

Azure services that support Azure AD authentication

The following services support Azure AD authentication and have been tested with client services that use Managed Service Identity.+

Service Resource ID Status Date
Azure Resource Manager https://management.azure.com/ Available September 2017
Azure Key Vault https://vault.azure.net/ Available September 2017
Azure Data Lake https://datalake.azure.net/ Available September 2017

How much does Managed Service Identity cost?

Managed Service Identity comes with Azure Active Directory Free, which is the default for Azure subscriptions. There is no additional cost for Managed Service Identity.+

Support and feedback

We would love to hear from you!+

+

Try Managed Service Identity

Try a Managed Service Identity tutorial to learn end-to-end scenarios for accessing different Azure resources:+

From MSI-enabled resource Learn how to
Azure VM (Windows) Access Azure Resource Manager with a Windows VM Managed Service Identity
Access Azure Storage with a Windows VM Managed Service Identity
Access a non-Azure AD resource with a Windows VM Managed Service Identity and Azure Key Vault
Azure VM (Linux) Access Azure Resource Manager with a Linux VM Managed Service Identity
Access Azure Storage with a Linux VM Managed Service Identity
Access a non-Azure AD resource with a Linux VM Managed Service Identity
Azure App Service Use Managed Service Identity with Azure App Service or Azure Functions
Azure Function Use Managed Service Identity with Azure App Service or Azure Functions

If you just want to learn the basics of enabling MSI on an Azure resource :+

For Azure resource Enable/remove MSI using
Azure VM (Windows) The Azure portal
PowerShell
Azure CLI
Azure Resource Manager templates

Then learn how to use Role Based Access Control (RBAC) to give an MSI permission to access another Azure resource :+

From MSI-enabled resource Assign access to another Azure resource using
Azure VM (Windows) The Azure portal
PowerShell
Azure CLI

IGNORE BELOW


 

Original Link

Posted on September 14, 2017

Principal Program Manager, Azure Active Directory

A common challenge in cloud development is managing the credentials used to authenticate to cloud services. Today, I am happy to announce the Azure Active Directory Managed Service Identity (MSI) preview. MSI gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code.

What is Managed Service Identity and how do I use it?

Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer’s workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem. Through the magic of Azure and Azure AD, MSI provides a “bootstrap identity” that makes it much simpler to get things started.

Here’s how it works! When you enable MSI for an Azure service such as Virtual Machines, App Service, or Functions, Azure creates a Service Principal for the instance of the service in Azure AD, and injects the credentials (client ID and certificate) for the Service Principal into the instance of the service. Next,

  1. Your code calls a local MSI endpoint to get an access token
  2. MSI uses the locally injected credentials to get an access token from Azure AD
  3. Your code uses this access token to authenticate to an Azure service

Azure AD Managed Service Identity

And that’s it! The access token can be used directly with a service that supports Azure AD authentication, such as Azure Resource Manager. If you need to authenticate to a service that doesn’t natively support Azure AD, you can use the token to authenticate to Key Vault and retrieve credentials from there. Azure and Azure AD take care of rolling the Service Principal’s credentials. Your code and your developers will never see or manage them.

Try it

Today we are announcing previews of Managed Service Identity for:

Click the links to try a tutorial!

Managed Service Identity is a feature of Azure AD Free, which comes with every Azure subscription. There is no additional charge for using Managed Service Identity.

We would love to hear from you! You can ask how-to questions on Stack Overflow using the tag “azure-msi”, or post feature feedback or suggestions to the Azure AD developer feedback forum

Recent Comments

    Archives

    Schedule

    July 2019
    M T W T F S S
    « Jun    
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  

    Categories

    Recent Comments

      Archives

      Schedule

      July 2019
      M T W T F S S
      « Jun    
      1234567
      891011121314
      15161718192021
      22232425262728
      293031  

      Categories

      Kirit Parmar (Azure Solutions Architect – Microsoft IAM)

      • United States

      Categories

      Copyright © 2019 Welcome to "my-azure"