Before zooming in on these, let’s take a step back and look at the different Azure Identity Objects we have available in Azure Active Directory<\/a><\/strong> today.<\/p>\n Azure AD is the trusted Identity Object store, in which you can create different Identity Object types. The most common ones are Users and Groups<\/strong>, but you can also have Applications<\/strong> in there, also known as Enterprise Apps<\/strong>.<\/p>\n An example for each could be:<\/p>\n Most relevant to Service Principal, is the Enterprise apps; according to the formal definition, a service principal is \u201c\u2026An application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service or automation tool, when an organization is using Azure Active Directory\u2026\u201d<\/em><\/p>\n In essence, by using a Service Principal, you avoid creating \u201cfake users\u201d<\/strong> (we would call them service account in on-premises Active Directory…) in Azure AD to manage authentication when you need to access Azure Resources.<\/p>\n The Service Principals’ access can be restricted<\/strong> by assigning Azure RBAC roles<\/a><\/strong> so that they can access the specific set of resources only. There is one major exception<\/strong> to this RBAC rule, and that is Azure Key Vault<\/a><\/strong>, which can be extended by using Key Vault Access Policies to define permissions, instead of Azure RBAC roles. (to be 100% correct on this statement, there is actually a preview available since mid Oct 2020, allowing RBAC KeyVault access as well – check this article<\/a> for more details).<\/p>\n Typical use cases where you would rely on a Service Principal is for example when running Terraform<\/a> IAC (Infrastructure as Code) deployments, or when using Azure DevOps<\/a> for example, where you define a Service Connection from DevOps Pipelines to Azure; or basically any other 3rd party application requiring an authentication token to connect to Azure resources.<\/p>\n An Azure Service Principal can be created using “any” traditional way like the Azure Portal, Azure PowerShell, Rest API or Azure CLI. Let me show you the command syntax out of Azure CLI to achieve this:<\/p>\n resulting in this outcome:<\/p>\n Copy this information aside; in the example of an Azure DevOps Service Connection<\/strong>, this information would be used as follows:<\/p>\n where you just need to copy the correct information in the corresponding parameter fields:<\/p>\n And using a Terraform deployment template file (or terraform.tfvars variable file) as an example, would use this information like this:<\/p>\n NOTE: The best recommendation I can give, is to store the Service Principal credentials in a safe way, like using Azure Key Vault, instead of a clear-text Notepad document or Terraform.tf file<\/strong><\/p>\n And in a somehow similar way, you would use the same concept from about any other third party solution, keeping in mind that the technical parameter field names might differ a bit from what the Azure CLI command provides as output.<\/p>\n While this seems all fair from a security perspective, since we are not literally using the Azure administrative accounts (former service account concepts, remember…) anymore, there are also a few challenges involved in using SPs:<\/p>\n Where Service Principals are important and very useful from a security perspective, I also pointed out some challenges. The fact that there is administrative overhead (and potential security risk) involved is probably the biggest one.<\/p>\n That\u2019s where Managed Identities come in.<\/p>\n Managed Identities are in essence 100% identical in functionality and use case than Service Principals. In fact, they are actually Service Principals.<\/p>\n What makes them different though, is: – They are always linked to an Azure Resource, not to an application or 3rd party connector – They are automatically created for you, including the credentials; big benefit here is that no one knows the credentials<\/strong><\/p>\n Managed Identities exist in 2 formats: – System assigned<\/strong>; in this scenario, the identity is linked to a single Azure Resource, eg a Virtual Machine, a Logic App, a Storage Account, Web App, Function,\u2026 so almost anything. Next, they also \u201clive\u201d with the Azure Resource, which means they get deleted when the Azure Resource gets deleted. – User Assigned<\/strong> Managed Identity, which means that you first have to create it as a stand-alone Azure resource by itself, after which it can be linked to multiple Azure Resources. An example here could be out of an integration with Key Vault, where different Workload services belonging to the same application stack, need to read out information from Key Vault. In this case, one could create a \u201cread KV\u201d Managed Identity, and link it to the web app, storage account, function, logic app,\u2026 all belonging to the same application architecture.<\/p>\n Let’s walk through a quick demo scenario for both, using a Virtual Machine as Azure Resource:<\/p>\n Switching to Azure Key Vault \/ Access Policies, we can now define this System Assigned Managed Identity<\/strong> having get<\/em> and list<\/em> permissions (or any other) for keys, secrets or certificates. For example reading out an Azure Storage Account Access key or similar.<\/p>\n Notice how Azure Key Vault is expecting a Service Principal<\/strong> object here (where in reality we are using a Managed Identity).<\/p>\n Similarly, let’s remove the System Assigned MI of the VM and use a User Assigned one in the next example (an Azure Resource can only be linked to one or the other, not both…):<\/p>\n As you notice, the Managed Identity object gets immediately removed from Azure AD. Yes, security is key here…<\/p>\n Remember that a User Assigned<\/strong> Managed Identity is a stand-alone Azure Resource, which needs to be created first, after which you can assign it to another Azure Resource (our VM in this scenario).<\/p>\n Select it and add it as a Virtual Machine User Assigned object.<\/p>\n<\/li>\n Select another Azure Resource in your subscription, for example an Azure Web App, Logic App,… and once more select Identity<\/strong> from the settings. Below screenshot shows what it looks like for an Azure Web App Resource:<\/p>\n<\/li>\n<\/ul>\n To complete the sample scenario, let’s go back to Azure Key Vault, and specify another Access Policy for this User Assigned Managed Identity:<\/p>\n After saving the changes, the result is that now both the Azure Virtual Machine as well as the Web App – having the User Assigned Managed Identity assigned to them – can read our keys and secrets from Azure Key Vault.<\/p>\n In this post, I wanted to clarify the use case, difference and similarities between Service Principals and Managed Identities. A Service Principal could be looked at as similar to a service account-alike<\/strong> in a more traditional on-premises application or service scenario. Managed Identities are used for “linking” a Service Principal security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar. For a 1:1 relation<\/strong> between both, you would use a System Assigned<\/strong>, where for a 1:multi relation<\/strong>, you would use a User Assigned Managed Identity<\/strong>.<\/p>\n As always, holler when having any questions petender@microsoft.com or @pdtit on Twitter<\/p>\n \/Peter<\/p>\n","protected":false},"excerpt":{"rendered":" This article will describe the use case and core differences between Service Principal and Managed Identities, using Key Vault and other Azure services as an example<\/p>\n","protected":false},"author":45107,"featured_media":60852,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,251],"tags":[],"class_list":["post-60837","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-security"],"acf":[],"blog_post_summary":" This article will describe the use case and core differences between Service Principal and Managed Identities, using Key Vault and other Azure services as an example<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/60837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/45107"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=60837"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/60837\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/60852"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=60837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=60837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=60837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Azure AD Identity<\/h2>\n
\n
Service Principal<\/h2>\n
az ad sp create-for-rbac --name \"pdtdevblogsp\"\n<\/code><\/pre>\n![\"az](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-01.jpg\")
<\/p>\n![\"ado](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-02.jpg\")
<\/p>\n\n
Terraform subscription service principal vars\n\n subscription_id = \"0a407898-c077-442d-xxxx-xxxxxxxxxxxx\"\n client_id = \"3723bfcc-f0ba-4bba-xxxx-xxxxxxxxxxxx\"\n client_secret = \"b9eab5cb-c1b0-46e6-xxxx-xxxxxxxxxxxx\"\n tenant_id = \"70681eb4-8dbc-4dc2-xxxx-xxxxxxxxxxxx\"\n<\/code><\/pre>\n\n
Managed Identities<\/h2>\n
\n
![\"System](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-03.jpg\")
<\/p>\n![\"Access](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-04.jpg\")
<\/p>\n\n
![\"Confirmation\"](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-05.jpg\")
<\/p>\n\n
\n
![\"User](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-06.jpg\")
<\/p>\n\n
![\"User](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-07.jpg\")
<\/p>\n\n
![\"User](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-08.jpg\")
<\/p>\n\n
![\"User](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-09.jpg\")
<\/p>\n\n
![\"User](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/01\/2021-01-12-10.jpg\")
<\/p>\nSummary<\/h2>\n
\n