User-assigned managed identities are created independently and can be associated with multiple resources.
How It Works
The managed identity authentication flow involves several key steps:-
Enable Managed Identity
Azure Resource Manager (ARM) receives a request to enable a system-assigned managed identity on a virtual machine (or any resource that supports managed identities). -
Service Principal Creation
Once enabled, a service principal is automatically generated in Microsoft Entra ID (formerly Azure Active Directory) for the virtual machine’s identity. -
VM Configuration Update
ARM configures the virtual machine by updating the Azure Instance Metadata Service with the newly created service principal’s client ID and certificate. -
Resource Access Provisioning
With the virtual machine now equipped with an identity, the service principal can be used to grant access to additional Azure resources. -
Token Request
The code running on the virtual machine requests an access token from the Azure Instance Metadata Service endpoint, which is accessible only internally. -
JWT Acquisition
The access token is then used to contact Microsoft Entra ID to retrieve a JSON Web Token (JWT) using the pre-configured client ID and certificate. -
Resource Access
Finally, your application sends the JWT to services that support Microsoft Entra Authentication—such as Azure Key Vault or Azure Blob Storage—to access the required resources.