I am trying to use a managed identity from Azure in a non-Azure VM to access my Azure resources. Is this possible?
You can use managed identities with App Service too
In the below link you can see all azure resources supported managed identities.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities
I would like to know if it is always recommended to use Managed Identities in Azure , mostly system assigned or a Service Principal?
When should Service Principals be used in Azure compared to a managed identity, what is the advantage of one over the other?
Any help would be appreciated.
Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. Also, when a User-Assigned or System-Assigned Identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.
Source: What are managed identities for Azure resources?
and
So what’s the difference?
Put simply, the difference between a managed identity and a service principal is that a managed identity manages the creation and automatic renewal of a service principal on your behalf.
Source: What’s an Azure Service Principal and Managed Identity?
A managed identity is a type of the service principal.
A service principal can be one of three types: application, managed identity, and legacy. The division into types is based on circumstances of their usage. Thus their specific handling also differs based on their type.
rickvdbosch provided link to an article that talks about specifics of the managed identity type of the service principal.
For those who would like to learn about the concept of the service principal object and its types, here is a link to a different article:
Application and service principal objects in Azure Active Directory.
An Azure service principle is like an application, whose tokens can be used by other azure resources to authenticate and grant access to azure resources.
Managed identities are service principals of a special type, which are locked to only be used with Azure resources.
The main difference between both is that in managed identity you don’t need to specify any credentials in your code compared to service principles where you need to specify application id, client id, etc to generate a token to access any Azure resource. Ideally, you should opt for service principal only if the service you use doesn’t support managed identity.
Service Principal
We can say the most relevant part of the Service principal is the Enterprise Apps section under Azure Active Directory. This is basically an application that will allow your user apps to authenticate and access Azure resources, based on the RBAC.
It essentially is an ID of an application that needs to access Azure resources. In layman’s terms, imagine if you have to assign certain access to your colleague so that he\she can access Azure resources and perform required tasks, you can use their email id as a way to authenticate the user.
Managed Identity
We can say that the Managed Identities are actually Service Principals and they are identical in the functionality and purpose they serve.
The only difference is, that a managed identity is always linked to an Azure Resource, unlike an application or 3rd party connector mentioned above. They are automatically created for you, including the credentials; big benefit here is that no one knows the credentials
There are two types of managed identities:
1.) System assigned; in this scenario, the identity is linked to a single Azure Resource, eg a Virtual Machine, a Web App, Function,… so almost anything. Next, they also “live” with the Azure Resource, which means they get deleted when the Azure Resource gets deleted.
2.) User Assigned Managed Identity, which means that you first have to create it as a stand-alone Azure resource by itself, after which it can be linked to multiple Azure Resources. An example here could be out of integration with the Key Vault, where different Workload services belonging to the same application stack, need to read out information from Key Vault. In this case, one could create a “read KV” Managed Identity, and link it to the web app, storage account, function, logic app,… all belonging to the same application architecture.
Managed Identities are tied to a resource (VM, Logib App, etc). To give the resource grants and permissions for accessing(CRUD) other resources you use Managed Identities.
Service Principial do not have to be tied to a resource, they leave under tenant and above subscription, and what is more is more important - have some auth tokens that could be stored somewhere (Key Vault). It is like a fake user with some credentials and tokens.
A Service Principal could be looked at as similar to a service account-alike in a more traditional
on-premises application or service scenario. Managed Identities are used for “linking” a Service Principal
security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar
I was reading https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview and midway through realized my brain was boiling.
Is there a more intuitive explanation to what it is and why it eliminates the need to store credentials in the source code?
Try https://azure.microsoft.com/en-us/blog/keep-credentials-out-of-code-introducing-azure-ad-managed-service-identity/.
You can think of it as if your Azure Resource (ie. a VM) is the identity. Say you want to access a blob in Azure Storage from your Azure virtual machine. One option is to create an AAD application and put the client id and client secret (password) into your code or configuration file. This is the problem that managed identities try to solve.
With a managed identity assigned to the VM, Azure knows that the VM has an identity, so your code just calls storage directly, using the token obtained from the managed identity. You don't need to store a client secret to get that managed identity token, because Azure already knows 'who' the VM is and allows it to use the managed identity implicitly.
My goal is to have a VM to run builds for Azure DevOps with a user-assigned managed identity so we can keep everything connectionStringLess.
I have just created an Azure Lab and a VM in it.
The reason for this in the lab is so we can shut it down during nights and weekends.
However, I can't find the option to assign managed identities to it.
If possible, how do I do it?
Looks the lab VM (Microsoft.DevTestLab/labs/virtualmachines) does not support MSI currently, you need to use the azure VM(Microsoft.Compute/virtualMachines).
Reference - Services that support managed identities for Azure resources.
Besides, I notice you use the lab VM for auto-start/stop reason, actually the Azure VM also supports that, see Start/Stop VMs during off-hours solution in Azure Automation, not only schedule VMs to start and stop, but also other features.
I had gone through this URL which says how to Encrypt the Linux VM, but it does not seem to suit my requirement..
I have a Azure Linux VM(CentOS) that runs Elastic Search and I need to encrypt the data stored in the attached hard disks. And I do not make use of AD.
Are there proper steps that say how to do this, and also using Key Vault ?
I am struggling with the same task currently. You need an AD to create an Application inside, this application needs access to the KeyVault. Azure uses the Application for authorization.
A KeyVault can be created without AD, but it seems to be useless without AD.