| title | description | services | documentationcenter | author | manager | editor | ms.service | ms.component | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
How to use managed identities for Azure resources on an Azure VM for sign in |
Step by step instructions and examples for using an Azure VM managed identities for Azure resources service principal for script client sign in and resource access. |
active-directory |
daveba |
mtillman |
active-directory |
msi |
na |
conceptual |
na |
identity |
12/01/2017 |
daveba |
[!INCLUDE preview-notice]
This article provides PowerShell and CLI script examples for sign-in using managed identities for Azure resources service principal, and guidance on important topics such as error handling.
[!INCLUDE msi-qs-configure-prereqs]
If you plan to use the Azure PowerShell or Azure CLI examples in this article, be sure to install the latest version of Azure PowerShell or Azure CLI.
Important
- All sample script in this article assumes the command-line client is running on a VM with managed identities for Azure resources enabled. Use the VM "Connect" feature in the Azure portal, to remotely connect to your VM. For details on enabling managed identities for Azure resources on a VM, see Configure managed identities for Azure resources on a VM using the Azure portal, or one of the variant articles (using PowerShell, CLI, a template, or an Azure SDK).
- To prevent errors during resource access, the VM's managed identity must be given at least "Reader" access at the appropriate scope (the VM or higher) to allow Azure Resource Manager operations on the VM. See Assign managed identities for Azure resources access to a resource using the Azure portal for details.
Managed identities for Azure resources provides a service principal object , which is created upon enabling managed identities for Azure resources on the VM. The service principal can be given access to Azure resources, and used as an identity by script/command-line clients for sign in and resource access. Traditionally, in order to access secured resources under its own identity, a script client would need to:
- be registered and consented with Azure AD as a confidential/web client application
- sign in under its service principal, using the app's credentials (which are likely embedded in the script)
With managed identities for Azure resources, your script client no longer needs to do either, as it can sign in under the managed identities for Azure resources service principal.
The following script demonstrates how to:
-
Sign in to Azure AD under the VM's managed identity for Azure resources service principal
-
Call Azure Resource Manager and get the VM's service principal ID. CLI takes care of managing token acquisition/use for you automatically. Be sure to substitute your virtual machine name for
<VM-NAME>.az login --identity spID=$(az resource list -n <VM-NAME> --query [*].identity.principalId --out tsv) echo The managed identity for Azure resources service principal ID is $spID
The following script demonstrates how to:
-
Sign in to Azure AD under the VM's managed identity for Azure resources service principal
-
Call an Azure Resource Manager cmdlet to get information about the VM. PowerShell takes care of managing token use for you automatically.
Add-AzureRmAccount -identity # Call Azure Resource Manager to get the service principal ID for the VM's managed identity for Azure resources. $vmInfoPs = Get-AzureRMVM -ResourceGroupName <RESOURCE-GROUP> -Name <VM-NAME> $spID = $vmInfoPs.Identity.PrincipalId echo "The managed identity for Azure resources service principal ID is $spID"
See Azure services that support Azure AD authentication for a list of resources that support Azure AD and have been tested with managed identities for Azure resources, and their respective resource IDs.
Responses such as the following may indicate that the VM's managed identity for Azure resources has not been correctly configured:
- PowerShell: Invoke-WebRequest : Unable to connect to the remote server
- CLI: MSI: Failed to retrieve a token from 'http://localhost:50342/oauth2/token' with an error of 'HTTPConnectionPool(host='localhost', port=50342)
If you receive one of these errors, return to the Azure VM in the Azure portal and:
- Go to the Identity page and ensure System assigned is set to "Yes."
- Go to the Extensions page and ensure the managed identities for Azure resources extension (planned for deprecation in January 2019) deployed successfully.
If either is incorrect, you may need to redeploy the managed identities for Azure resources on your resource again, or troubleshoot the deployment failure. See Configure Managed identities for Azure resources on a VM using the Azure portal if you need assistance with VM configuration.
- To enable managed identities for Azure resources on an Azure VM, see Configure managed identities for Azure resources on an Azure VM using PowerShell, or Configure managed identities for Azure resources on an Azure VM using Azure CLI