Managed Identity Authentication Flow

In this article, we explore how a system-assigned managed identity functions with an Azure Virtual Machine. While the process is nearly identical for a user-assigned managed identity, note that user-assigned identities are standalone resources that must be created before use.

How It Works

The managed identity authentication flow involves several key steps:

1. Enable Managed Identity
   Azure Resource Manager (ARM) receives a request to enable a system-assigned managed identity on a virtual machine (or any resource that supports managed identities).

2. Service Principal Creation
   Once enabled, a service principal is automatically generated in Microsoft Entra ID (formerly Azure Active Directory) for the virtual machine’s identity.

3. VM Configuration Update
   ARM configures the virtual machine by updating the Azure Instance Metadata Service with the newly created service principal's client ID and certificate.

4. Resource Access Provisioning
   With the virtual machine now equipped with an identity, the service principal can be used to grant access to additional Azure resources.

5. Token Request
   The code running on the virtual machine requests an access token from the Azure Instance Metadata Service endpoint, which is accessible only internally.

6. JWT Acquisition
   The access token is then used to contact Microsoft Entra ID to retrieve a JSON Web Token (JWT) using the pre-configured client ID and certificate.

7. Resource Access
   Finally, your application sends the JWT to services that support Microsoft Entra Authentication—such as Azure Key Vault or Azure Blob Storage—to access the required resources.

Configuring Managed Identity

To configure the identity, navigate to the Azure Portal. In this example, we demonstrate the process using a Function App; however, the same configuration applies to any Azure resource that supports managed identities.

This streamlined process ensures a secure and automated approach to managing resource access in the Azure ecosystem.