Microsoft Azure — Managed Identities & Service Principals
System-assigned and user-assigned managed identities, service principals, RBAC authentication, and keyless access..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Azure subscription, Azure CLI (version 2.40+), basic understanding of Azure AD and RBAC, familiarity with bash or Python for code examples.
Managed Identities & Service Principals is like having a specialized tool that handles managed identities in the Microsoft cloud — you manage the configuration, Azure handles the infrastructure.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers managed identities & service principals with production-ready configurations, best practices, and hands-on examples.
Why Managed Identities Beat Service Principals
In Azure, authentication between services has traditionally relied on Service Principals—essentially, identity objects with a client ID and secret. The problem? Secrets get leaked. They're checked into Git, stored in config files, or rotated manually and forgotten. Managed Identities eliminate the secret management burden entirely. They're Azure's way of saying: 'Let me handle the credential lifecycle.' A Managed Identity is tied to an Azure resource (like a VM, App Service, or Function) and automatically rotates its own credentials. No secrets to store, no rotation scripts. For any workload running inside Azure, this should be your default. Service Principals are still useful for external applications or cross-tenant scenarios, but inside Azure, Managed Identities reduce attack surface and operational overhead. The trade-off? You lose the ability to use the same identity across resources—each resource gets its own identity. But that's actually a security win: least privilege per resource.
Setting Up a System-Assigned Managed Identity
System-assigned Managed Identities are the simplest to configure. When you enable it on an Azure resource, Azure automatically creates an identity in Azure AD tied to that resource's lifecycle. Enable it during resource creation or afterward. For an Azure VM, you can enable it via the portal, CLI, or ARM template. Once enabled, the VM can request tokens from the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254. No code changes needed beyond using the default credential chain in SDKs. The identity is automatically deleted when the resource is deleted—no orphaned identities. This is ideal for ephemeral workloads like batch processing VMs or auto-scaling app services. The downside: you can't share the identity across resources. If you need the same identity on multiple VMs, use a user-assigned identity instead.
User-Assigned Managed Identities: Sharing Identity Across Resources
User-assigned Managed Identities are standalone Azure resources that you create once and assign to multiple Azure resources. This is useful when you have a fleet of VMs or multiple App Services that all need to authenticate to the same Key Vault or Storage Account. You create the identity, assign it to each resource, and grant permissions to the identity itself. The identity persists even if the resources are deleted. This decouples identity from resource lifecycle. However, you now have an extra resource to manage. User-assigned identities also support more complex scenarios like cross-region replication or using the same identity in different subscriptions (via RBAC). The trade-off: you must explicitly assign the identity to each resource, and the identity's client ID is needed in code if you're not using the default credential chain.
Service Principals: When and How to Use Them
Service Principals are the classic Azure AD application identities. They consist of a client ID and a client secret (or certificate). Use them when your application runs outside Azure (e.g., on-premises, another cloud) or when you need to authenticate as the application itself (e.g., for CI/CD pipelines). Service Principals are also necessary for cross-tenant scenarios where Managed Identities can't reach. The main drawback: you must manage secrets. Rotate them regularly, store them in a vault (Azure Key Vault), and never hardcode them. Use certificates instead of secrets for better security—they can be rotated without downtime. Service Principals also support OAuth 2.0 client credentials flow, which is standard for server-to-server communication. For production, always use certificates with auto-rotation via Key Vault.
Granting Permissions: RBAC for Identities
Both Managed Identities and Service Principals are Azure AD objects that can be assigned RBAC roles. The principle is the same: grant the identity the minimum permissions it needs. For Managed Identities, you assign roles to the identity's principal ID. For Service Principals, you assign roles to the app's service principal object. Use built-in roles like 'Reader', 'Contributor', or custom roles for fine-grained access. Always scope roles to the resource group or resource level, not the subscription, unless necessary. Remember: Managed Identities are security principals, so they appear in Azure AD and can be granted access to resources just like users. The key difference is that Managed Identities cannot be used to sign in interactively—they're for automated workflows only.
Token Acquisition: How Your Code Gets Credentials
Managed Identities acquire tokens via the Azure Instance Metadata Service (IMDS) endpoint. When your code requests a token (e.g., using DefaultAzureCredential in Azure SDK), the SDK automatically calls http://169.254.169.254/metadata/identity/oauth2/token. No secrets involved. For Service Principals, the SDK uses the client ID and secret/certificate to request a token from Azure AD's OAuth endpoint. In both cases, the token is cached and refreshed automatically. The key difference: with Managed Identities, the infrastructure handles the credential; with Service Principals, your application must have access to the secret or certificate. For production, always use DefaultAzureCredential or ChainedTokenCredential to fall back from Managed Identity to Service Principal if running locally.
Common Pitfalls and How to Avoid Them
Even with Managed Identities, things can go wrong. The most common issue is token acquisition failures due to network restrictions. IMDS endpoint (169.254.169.254) must be accessible—don't block it in NSGs or firewalls. Another pitfall: assigning roles to the wrong principal ID. For system-assigned, use the principal ID from the resource's identity block. For user-assigned, use the principal ID of the identity resource itself. Also, Managed Identities are not supported for all Azure services (e.g., some third-party SaaS). Always check documentation. Finally, beware of token expiration: tokens are valid for up to 24 hours, but SDKs handle refresh automatically. However, if you cache tokens manually, you might serve stale tokens. Let the SDK manage the lifecycle.
Production Strategy: When to Use Which Identity Type
Your identity strategy should follow a simple rule: use Managed Identities for all Azure-internal workloads, and Service Principals only for external or cross-tenant scenarios. Within Managed Identities, prefer system-assigned for single-resource workloads (e.g., one App Service accessing one database) and user-assigned for multi-resource workloads (e.g., a VMSS writing to a common storage account). Avoid using Service Principals inside Azure unless you have no choice (e.g., legacy app that can't use IMDS). For CI/CD pipelines, use Service Principals with certificates stored in Key Vault, and rotate them automatically. For local development, use DefaultAzureCredential with Azure CLI or Visual Studio. Document your identity architecture and include it in your disaster recovery plan—if an identity is deleted, you lose access.
| File | Command / Code | Purpose |
|---|---|---|
| create-identity.sh | az identity create --name MyManagedIdentity --resource-group MyRG | Why Managed Identities Beat Service Principals |
| enable-system-assigned.sh | az vm identity assign --resource-group MyRG --name MyVM | Setting Up a System-Assigned Managed Identity |
| create-user-assigned.sh | az identity create --name MyUserIdentity --resource-group MyRG | User-Assigned Managed Identities |
| create-sp.sh | az ad sp create-for-rbac --name MyServicePrincipal --role Contributor --scopes /... | Service Principals |
| assign-role.sh | az role assignment create --assignee-object-id | Granting Permissions |
| token_acquisition.py | from azure.identity import DefaultAzureCredential | Token Acquisition |
| debug-token.sh | curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-... | Common Pitfalls and How to Avoid Them |
| identity-decision.yaml | identity_decision: | Production Strategy |
Key takeaways
Common mistakes to avoid
3 patternsNot planning managed identities properly before deployment
Ignoring Azure best practices for managed identities
Overlooking cost implications of managed identities
Interview Questions on This Topic
Explain Managed Identities & Service Principals and its use cases.
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Azure. Mark it forged?
4 min read · try the examples if you haven't