Enable System-Assigned Managed Identities (2024)

Security

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines launched in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Settings, select Identity to access the system-assigned managed identity configuration available for the selected VM.

07 On the Identity page, check the Status configuration setting. If Status is set to Off, the system-assigned managed identity is not enabled for the selected Microsoft Azure virtual machine.

08 Repeat step no. 5 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) deployed within the current Azure subscription:

az vm list --query '[*].id'

02 The command output should return the requested Azure virtual machine ID(s):

["/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-worker-vm","/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-staging-vm"]

03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter and custom query filters, to describe the system-assigned managed identity configuration available for the selected VM:

az vm show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-worker-vm" --query '{"IdentityConfig": identity}'

04 The command output should return the requested configuration information:

{ "IdentityConfig": null}

If the vm show command output returns null as the value for the "IdentityConfig" attribute, as shown in the example above, the system-assigned managed identity is not enabled for the selected Microsoft Azure virtual machine.

05 Repeat step no. 3 and 4 for every Azure virtual machine available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, under Settings, select Identity to access the system-assigned managed identity configuration available for the selected VM.

07 On the Identity page, click On next to the Status setting to enable the system-assigned managed identity for the selected Azure virtual machine. Click Save to apply the configuration change, then select Yes to confirm the action. Once the system-assigned managed identity is enabled, the selected virtual machine will be registered with Microsoft Entra ID. After being registered, you can control its access to other Azure cloud services like Resource Manager, Azure Key Vault and Azure Storage Account.

08 Now you can use, for example, the VM's managed identity to read or retrieve data stored within your Azure Storage containers without the need of using access credentials in your application code.

09 Repeat steps no. 5 – 7 to enable the system-assigned managed identity for other Azure virtual machines available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure Portal

01 Run vm identity assign command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure (see Audit section part II to identify the right resource), to enable the system-assigned managed identity for the selected Azure VM. Once the system-assigned managed identity is enabled, the selected virtual machine will be registered with Microsoft Entra ID. After being registered, you can control the resource access to other Azure cloud services like Resource Manager, Azure Key Vault and Azure Storage Account:

az vm identity assign --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-worker-vm" --identities [system]

02 The command output should return the unique identifier assigned to the selected VM, provided once it's registered with Microsoft Entra ID:

{ "systemAssignedIdentity": "abcdabcd-1234-abcd-1234-abcdabcdabcd", "userAssignedIdentities": {}}

03 After the Microsoft Entra ID registration, you can use, for example, the VM's managed identity to read or retrieve data available in your Azure Storage containers without the need of using access credentials within your application code.

04 Repeat step no. 1 and 2 to enable the system-assigned managed identity for other Azure virtual machines provisioned in the current subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.