How To Unlink My App From Pricing Template

How to utilise managed identities for App Service and Azure Functions

Commodity
03/23/2022
12 minutes to read

This commodity shows you how to create a managed identity for App Service and Azure Functions applications and how to utilize it to access other resources.

Of import

Managed identities for App Service and Azure Functions won't behave as expected if your app is migrated across subscriptions/tenants. The app needs to obtain a new identity, which is done by disabling and re-enabling the feature. Downstream resources also need to have access policies updated to use the new identity.

A managed identity from Azure Active Directory (Azure Advertising) allows your app to easily admission other Azure Advertizement-protected resource such as Azure Key Vault. The identity is managed by the Azure platform and does non require you to provision or rotate whatsoever secrets. For more about managed identities in Azure Advertizing, run into Managed identities for Azure resources.

Your application tin be granted two types of identities:

A system-assigned identity is tied to your awarding and is deleted if your app is deleted. An app can only have one arrangement-assigned identity.
A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app tin accept multiple user-assigned identities.

Add together a organisation-assigned identity

Azure portal
Azure CLI
Azure PowerShell
ARM template

In the left navigation of your app's page, scroll down to the Settings group.
Select Identity.
Within the System assigned tab, switch Status to On. Click Salve.

Note

To observe the managed identity for your web app or slot app in the Azure portal, under Enterprise applications, expect in the User settings section. Unremarkably, the slot proper name is similar to <app name>/slots/<slot name>.

Run the az webapp identity assign control to create a system-assigned identity:

                  az webapp identity assign --name myApp --resource-group myResourceGroup

For App Service

Run the Fix-AzWebApp -AssignIdentity control to create a arrangement-assigned identity for App Service:

                  Set-AzWebApp -AssignIdentity $true -Name <app-name> -ResourceGroupName <group-proper name>

For Functions

Run the Update-AzFunctionApp -IdentityType control to create a organization-assigned identity for a role app:

                  Update-AzFunctionApp -Proper noun $functionAppName -ResourceGroupName $resourceGroupName -IdentityType SystemAssigned

An Azure Resource Manager template can be used to automate deployment of your Azure resources. To learn more most deploying to App Service and Functions, see Automating resource deployment in App Service and Automating resource deployment in Azure Functions.

Any resource of type Microsoft.Web/sites tin be created with an identity by including the following property in the resources definition:

                  "identity": {     "type": "SystemAssigned" }

Adding the organisation-assigned type tells Azure to create and manage the identity for your application.

For instance, a web app's template might wait like the following JSON:

                  {     "apiVersion": "2016-08-01",     "type": "Microsoft.Web/sites",     "proper name": "[variables('appName')]",     "location": "[resourceGroup().location]",     "identity": {         "blazon": "SystemAssigned"     },     "properties": {         "name": "[variables('appName')]",         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",         "hostingEnvironment": "",         "clientAffinityEnabled": false,         "alwaysOn": truthful     },     "dependsOn": [         "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"     ] }

When the site is created, information technology has the post-obit additional properties:

                  "identity": {     "type": "SystemAssigned",     "tenantId": "<TENANTID>",     "principalId": "<PRINCIPALID>" }

The tenantId property identifies what Azure AD tenant the identity belongs to. The principalId is a unique identifier for the application's new identity. Inside Azure Advertizing, the service chief has the same name that you gave to your App Service or Azure Functions instance.

If you need to reference these properties in a later stage in the template, you can do and then via the reference() template function with the 'Full' flag, as in this example:

                  {     "tenantId": "[reference(resourceId('Microsoft.Web/sites', variables('appName')), '2018-02-01', 'Full').identity.tenantId]",     "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('appName')), '2018-02-01', 'Full').identity.principalId]", }

Add a user-assigned identity

Creating an app with a user-assigned identity requires that you create the identity and so add together its resource identifier to your app config.

Azure portal
Azure CLI
Azure PowerShell
ARM template

Start, you lot'll need to create a user-assigned identity resources.

Create a user-assigned managed identity resources according to these instructions.
In the left navigation for your app's page, scroll down to the Settings group.
Select Identity.
Inside the User assigned tab, click Add together.
Search for the identity you created before and select it. Click Add.

Important

If y'all select Add after you select a user-assigned identity to add, your application will restart.

Create a user-assigned identity.

                      az identity create --resource-group <group-name> --name <identity-proper noun>

Run the az webapp identity assign control to assign the identity to the app.

                      az webapp identity assign --resource-group <group-name> --name <app-name> --identities <identity-name>

For App Service

Calculation a user-assigned identity in App Service is currently non supported.

For Functions

Create a user-assigned identity.

                      Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease $userAssignedIdentity = New-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName <grouping-proper noun>

Run the Update-AzFunctionApp -IdentityType UserAssigned -IdentityId control to assign the identity in Functions:

                      Update-AzFunctionApp -Name <app-name> -ResourceGroupName <grouping-name> -IdentityType UserAssigned -IdentityId $userAssignedIdentity.Id

An Azure Resource Manager template tin can be used to automate deployment of your Azure resources. To larn more about deploying to App Service and Functions, see Automating resource deployment in App Service and Automating resource deployment in Azure Functions.

Whatever resource of type Microsoft.Web/sites can exist created with an identity by including the post-obit cake in the resources definition, replacing <RESOURCEID> with the resource ID of the desired identity:

                  "identity": {     "type": "UserAssigned",     "userAssignedIdentities": {         "<RESOURCEID>": {}     } }

Annotation

An application can have both arrangement-assigned and user-assigned identities at the aforementioned fourth dimension. In this case, the type belongings would be SystemAssigned,UserAssigned

Calculation the user-assigned type tells Azure to use the user-assigned identity specified for your awarding.

For example, a web app'due south template might look similar the following JSON:

                  {     "apiVersion": "2016-08-01",     "type": "Microsoft.Spider web/sites",     "proper noun": "[variables('appName')]",     "location": "[resourceGroup().location]",     "identity": {         "type": "UserAssigned",         "userAssignedIdentities": {             "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}         }     },     "properties": {         "proper noun": "[variables('appName')]",         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",         "hostingEnvironment": "",         "clientAffinityEnabled": false,         "alwaysOn": true     },     "dependsOn": [         "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",         "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"     ] }

When the site is created, it has the following boosted backdrop:

                  "identity": {     "blazon": "UserAssigned",     "userAssignedIdentities": {         "<RESOURCEID>": {             "principalId": "<PRINCIPALID>",             "clientId": "<CLIENTID>"         }     } }

The principalId is a unique identifier for the identity that's used for Azure Advertising administration. The clientId is a unique identifier for the application'south new identity that'due south used for specifying which identity to use during runtime calls.

Configure target resources

You lot may need to configure the target resources to permit access from your app or function. For example, if y'all request a token to access Key Vault, you must as well add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault volition be rejected, even if y'all use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Azure Agile Directory tokens, run across Azure services that support Azure AD hallmark.

Important

The back-stop services for managed identities maintain a cache per resources URI for around 24 hours. If you update the admission policy of a particular target resource and immediately call back a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.

Connect to Azure services in app code

With its managed identity, an app can obtain tokens for Azure resources that are protected by Azure Agile Directory, such equally Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.

App Service and Azure Functions provide an internally accessible Residue endpoint for token retrieval. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint and simplifies the development experience. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.

A raw HTTP GET request looks like the following example:

                  Get /MSI/token?resources=https://vault.azure.net&api-version=2019-08-01 HTTP/one.1 Host: localhost:4141 X-IDENTITY-HEADER: 853b9a84-5bfa-4b22-a3f3-0b9a43d9ad8a

And a sample response might wait like the following:

                  HTTP/one.1 200 OK Content-Type: awarding/json  {     "access_token": "eyJ0eXAi…",     "expires_on": "1586984735",     "resources": "https://vault.azure.net",     "token_type": "Bearer",     "client_id": "5E29463D-71DA-4FE0-8E69-999B57DB23B0" }

This response is the same every bit the response for the Azure AD service-to-service admission token request. To admission Key Vault, you will then add together the value of access_token to a client connection with the vault.

For .NET apps and functions, the simplest way to work with a managed identity is through the Azure Identity client library for .Internet. See the respective documentation headings of the client library for information:

Add Azure Identity client library to your project
Access Azure service with a system-assigned identity
Access Azure service with a user-assigned identity

The linked examples use DefaultAzureCredential. It's useful for the majority of the scenarios because the aforementioned pattern works in Azure (with managed identities) and on your local machine (without managed identities).

For Node.js apps and JavaScript functions, the simplest way to work with a managed identity is through the Azure Identity client library for JavaScript. See the respective documentation headings of the client library for information:

Add together Azure Identity customer library to your projection
Access Azure service with a system-assigned identity
Admission Azure service with a user-assigned identity

The linked examples utilise DefaultAzureCredential. It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

For more than code examples of the Azure Identity client library for JavaScript, encounter Azure Identity examples.

For Python apps and functions, the simplest way to piece of work with a managed identity is through the Azure Identity client library for Python. See the respective documentation headings of the customer library for data:

Add Azure Identity client library to your projection
Access Azure service with a system-assigned identity
Access Azure service with a user-assigned identity

The linked examples use DefaultAzureCredential. It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local car (without managed identities).

For Java apps and functions, the simplest style to work with a managed identity is through the Azure Identity client library for Java. Run into the respective documentation headings of the client library for information:

Add Azure Identity customer library to your projection
Admission Azure service with a arrangement-assigned identity
Admission Azure service with a user-assigned identity

The linked examples utilize DefaultAzureCredential. It'southward useful for the majority of the scenarios considering the same blueprint works in Azure (with managed identities) and on your local machine (without managed identities).

For more code examples of the Azure Identity customer library for Java, see Azure Identity Examples.

Use the following script to retrieve a token from the local endpoint past specifying a resource URI of an Azure service:

                  $resourceURI = "https://<AAD-resource-URI-for-resource-to-obtain-token>" $tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&api-version=2019-08-01" $tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI $accessToken = $tokenResponse.access_token

For more information on the Rest endpoint, see Residue endpoint reference.

Remove an identity

When y'all remove a organisation-assigned identity, information technology'south deleted from Azure Active Directory. System-assigned identities are too automatically removed from Azure Active Directory when yous delete the app resources itself.

Azure portal
Azure CLI
Azure PowerShell
ARM template

In the left navigation of your app'south page, gyre downward to the Settings grouping.
Select Identity. So follow the steps based on the identity type:
- System-assigned identity: Within the Organisation assigned tab, switch Status to Off. Click Salvage.
- User-assigned identity: Click the User assigned tab, select the checkbox for the identity, and click Remove. Click Yes to ostend.

To remove the organization-assigned identity:

                  az webapp identity remove --name <app-proper noun> --resource-group <grouping-name>

To remove 1 or more user-assigned identities:

                  az webapp identity remove --name <app-proper name> --resource-group <group-proper noun> --identities <identity-name1>,<identity-name2>,...

You lot can also remove the organization assigned identity by specifying [organisation] in --identities.

For App Service

Run the Set-AzWebApp -AssignIdentity command to remove a organisation-assigned identity for App Service:

                  Prepare-AzWebApp -AssignIdentity $false -Name <app-proper noun> -ResourceGroupName <grouping-name>

For Functions

To remove all identities in Azure PowerShell (Azure Functions simply):

                  # Update an existing function app to have IdentityType "None". Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType None

To remove all identities in an ARM template:

                  "identity": {     "type": "None" }

Note

There is also an application setting that can exist set, WEBSITE_DISABLE_MSI, which simply disables the local token service. Notwithstanding, information technology leaves the identity in place, and tooling will all the same show the managed identity as "on" or "enabled." As a result, use of this setting is not recommended.

REST endpoint reference

An app with a managed identity makes this endpoint available past defining two environment variables:

IDENTITY_ENDPOINT - the URL to the local token service.
IDENTITY_HEADER - a header used to assist mitigate server-side asking forgery (SSRF) attacks. The value is rotated past the platform.

The IDENTITY_ENDPOINT is a local URL from which your app tin can request tokens. To get a token for a resource, brand an HTTP Go request to this endpoint, including the following parameters:

Parameter name In Clarification

resources Query The Azure Advertisement resource URI of the resource for which a token should be obtained. This could be one of the Azure services that back up Azure Advertisement authentication or any other resource URI.

api-version Query The version of the token API to exist used. Use "2019-08-01" or later.

10-IDENTITY-HEADER Header The value of the IDENTITY_HEADER environment variable. This header is used to assist mitigate server-side request forgery (SSRF) attacks.

client_id Query (Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes principal_id, mi_res_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.

principal_id Query (Optional) The principal ID of the user-assigned identity to be used. object_id is an alias that may exist used instead. Cannot be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.

mi_res_id Query (Optional) The Azure resources ID of the user-assigned identity to be used. Cannot be used on a asking that includes principal_id, client_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.

Parameter name	In	Clarification
resources	Query	The Azure Advertisement resource URI of the resource for which a token should be obtained. This could be one of the Azure services that back up Azure Advertisement authentication or any other resource URI.
api-version	Query	The version of the token API to exist used. Use "2019-08-01" or later.
10-IDENTITY-HEADER	Header	The value of the IDENTITY_HEADER environment variable. This header is used to assist mitigate server-side request forgery (SSRF) attacks.
client_id	Query	(Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used.
principal_id	Query	(Optional) The principal ID of the user-assigned identity to be used. `object_id` is an alias that may exist used instead. Cannot be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used.
mi_res_id	Query	(Optional) The Azure resources ID of the user-assigned identity to be used. Cannot be used on a asking that includes `principal_id`, `client_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used.

Of import

If you are attempting to obtain tokens for user-assigned identities, you must include one of the optional properties. Otherwise the token service will attempt to obtain a token for a arrangement-assigned identity, which may or may not exist.

Next steps

Tutorial: Connect to SQL Database from App Service without secrets using a managed identity
Access Azure Storage securely using a managed identity
Call Microsoft Graph securely using a managed identity
Connect securely to services with Key Vault secrets

Feedback

Submit and view feedback for