| title | description | services | documentationcenter | author | manager | editor | ms.service | ms.component | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
How to manage a user-assigned managed identity using Azure CLI |
Step by step instructions on how to create, list and delete a user-assigned managed identity using the Azure CLI. |
active-directory |
daveba |
mtillman |
active-directory |
msi |
na |
conceptual |
na |
identity |
04/16/2018 |
daveba |
[!INCLUDE preview-notice]
Managed identities for Azure resources provides Azure services with a managed identity in Azure Active Directory. You can use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code.
In this article, you learn how to create, list and delete a user-assigned managed identity using Azure CLI.
- If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
- If you don't already have an Azure account, sign up for a free account before continuing.
- To run the CLI script examples, you have three options:
- Use Azure Cloud Shell from the Azure portal (see next section).
- Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
- Install the latest version of the Azure CLI (2.0.13 or later) if you prefer to use a local CLI console. Sign in to Azure using
az login, using an account that is associated with the Azure subscription under which you would like to deploy the user-assigned managed identity.
[!INCLUDE cloud-shell-try-it.md]
To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.
Use the az identity create command to create a user-assigned managed identity. The -g parameter specifies the resource group where to create the user-assigned managed identity, and the -n parameter specifies its name. Replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:
[!INCLUDE ua-character-limit]
az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
To list/read a user-assigned managed identity, your account needs the Managed Identity Operator or Managed Identity Contributor role assignment.
To list user-assigned managed identities, use the az identity list command. Replace the <RESOURCE GROUP> with your own value:
az identity list -g <RESOURCE GROUP>
In the json response, user-assigned managed identities have "Microsoft.ManagedIdentity/userAssignedIdentities" value returned for key, type.
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
To delete a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.
To delete a user-assigned managed identity, use the az identity delete command. The -n parameter specifies its name and the -g parameter specifies the resource group where the user-assigned managed identity was created. Replace the <USER ASSIGNED IDENTITY NAME> and <RESOURCE GROUP> parameters values with your own values:
az identity delete -n <USER ASSIGNED IDENTITY NAME> -g <RESOURCE GROUP>
Note
Deleting a user-assigned managed identity will not remove the reference, from any resource it was assigned to. Please remove those from VM/VMSS using the az vm/vmss identity remove command
For a full list of Azure CLI identity commands, see az identity.
For information on how to assign a user-assigned managed identity to an Azure VM see, Configure managed identities for Azure resources on an Azure VM using Azure CLI