Managed Identity

Photo by Matt Halls on Unsplash Photo by Matt Halls on Unsplash Introduction I have been using the DefaultAzureCredential class for a long time without understanding how it works. So, I jotted down my notes and learnings in this write-up for future me — and maybe you will find it useful too. TokenCredential TokenCredential is the abstract base class representing a source of authentication tokens for Azure services. Many classes derive from TokenCredential but the most interesting ones are DefaultAzureCredential and ChainedTokenCredential. ...

Recently, while setting up a Function App to use User Assigned Managed Identity (UAMI) to authenticate to its AzureWebJobsStorage I encountered SyncTriggerfailure. I checked whether the UAMI had necessary RBAC roles to work on AzureWebJobsStorage — it had. So, I wasn’t sure what the issue was. Analyzing further, I realized I had skipped a few mandatory variable settings to enable UAMI based authentication to AzureWebJobsStorage (setting the environment variable AzureWebJobsStorage__accountName alone does not suffice) ...

This guide outlines the process for assigning application roles to a Managed Identity (MI) in Entra ID. It covers observed behaviors, inherent limitations, and the necessary steps required when an MI must authenticate with another application (such as an API in APIM) using role-based access control (RBAC). Scenario In a typical architecture, a Logic App utilizes a Managed Identity (either System-Assigned or User-Assigned) to communicate with downstream resources. When that Logic App needs to call an API exposed via APIM, the following requirements usually apply: ...

Accessing Azure App Configuration using Managed Identity in Azure Functions is slightly different from accessing other Azure services. For most Azure services (Storage, Service Bus, Key Vault), you typically: Enable Managed Identity on the Function Grant RBAC access to the resource Create the SDK client using DefaultAzureCredential However, App Configuration is usually loaded as part of the application configuration pipeline at startup, so it must be added via the host builder. ...