Hey dears! A quick clarification on the video. For Virtual Machines Managed Identity endpoint is actually running outside of VM and is called IMDS (Azure Instance Metadata service). Old endpoint was located at localhost docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-net-linux-virtual-machine?WT.mc_id=AZ-MVP-5003556 but it was deprated in January 2019. This endpoint is only accessible from within a VM though. My bad here on putting it inside of VM box, it was supposed to be logical not physical boundary. But I was pointed out I said running locally during the video. Thanks Gregory S. for pointing this out.
Not only that your videos are very practical, I really like how you explain various concepts, in this case, how you compared three authentication methods in such a clear way. Splendid work, as always, Adam :)
I am a beginner of Azure from Hong Kong, I have been finding a video like this one for a long time, it's straight to the point, within 30 mins you resolved all my questions already. Thank you so much Adam. Plesae keep up your good work.
I try to watch other channels, but Adam's way of teaching is unique, is so much cool the way and the time he spends doing such great material. It's incomparable
Adam, I must say you have a super brain to explain such complex Azure feature within just 30 mins and plenty of demos and scenarios. Great work again... Please keep it up... Hope you and your family is safe in whichever geography you live in during current COVID-19 pandemic. Thanks buddy. Love your Azure videos.
@adam Marczak -- This is the comprehensive lesson of managed identity, you have touched all the topics that I need clarifications with. Wonderful lesson, and thanks for all you have done!!
Hi Adam, I saw many of your videos, thanks for putting great efforts on your videos, each videos provided very good understanding of azure service along with practical knowledge, I learned a lot from these.
While there's been upgrade in the Key Vault permissions since this video, much of it still makes perfect sense. This was a good overview, Adam! indeed it helped better understand it. Thank you so much.
Thanks for the amazing tutorial, Adam. I like your videos that you cover az-900 and Active Directory. Your teaching methods are excellent to understand how the services are working on azure. I like all your videos. Please create a more videos on AZ-104..
@AdamMarczakYT In the last demo of this video @27:21 we are able to get the connection string. As far as I understand one of the reason for using Managed Identity is to discourage sharing/disclosing connection string directly with the developers. Now using this connection string, anyone can get access to the restricted resources. Am I missing anything here 🤔?
Hey Adam, Really I enjoy your every video. I think that your 30 minutes video are more worthful than Pluralsight / Udemy 3 hrs courses. I have one request , Can you create some video on Docker/ AKS
what if I want to use a user assigned managed identity to connect to Azure Databricks workspace? How am I supposed to get the bearer token for the workspace using this MI? I am planning to do it via external methods like python or powershell, but unable to find any resources. Could you please advise?
I am kind of loving your videos a lot. Every time I want to learn some Azure topic, I just hope you would have one already created on that topic :) Great work. Love your simplicity. Just a suggestion - From next time if you can show the demo using GUI (like creating a project, downloading Microsoft packages, etc.) that would be a great help for someone who doesn't have programming knowledge. Thanks a lot again!
Your content is awesome, I would just like to ask you to add chapters on your videos, it really helps to go back to specific chapters without searching for them manually, your first video had chapters.
That's a good idea! I already have chapters in the new videos once I realized TH-cam supports these, might go back to update them for previous videos :)
Hey, how can I do this using ARM Template. I keep getting an error. If I want to give Blob Storage Contributor Role to my ADF, how to do it? what should be the scope? and how do I give the object/principal id?
Is it posible to using Managed identities for Microsoft Flow connectors authentication? For example Connector to O365 Outlook for sending email by Flow or Sharepoint Connector to accessing data in SHP? I have tested "service principal" in Power Automate/Flow, but is not posible for sending email or SHP access(only for other some connectors). Maybe Managed Identity can, but any instruction for Flow.
Hello Adam, I have a question. For example, let's say I have a Console application that runs on premise under a service account. Can I create the service account in Azure and assign managed identity to it? Then connect to key vault using that service account from on prem?
watching this video 15 Dec 2022 api-version is still 7.0 On Azure Data Factory, UI was changed. Go to Manage tab of the left panel -> Linked Services. There is no shortcut for the adding access policy, but we added it previously, it's not needed. When add role assignment in storage account, after you chose the role go next to Members, select Assign access to Managed identity and select your subscription, then data factory and your ADF name
So we are investigating implementing a similar azure AD application proxy ...IE initial user authentication and then acting as a reverse proxy to the internal web applications We see this as a requirement to securely allow our employees to access selected internal applications from their own devices from external (internet) So could you assist please with guidance on how this can be achieved? Also how we can enable/implement sms and email?
You mean for Key Vault? Key Vault now supports two ways to authorize. Either via Access Policies or via Access Control (RBAC roles). RBAC roles are still in preview though. :)
I am running into problems on how to set the Office 365 side after setting up Data Factory, not using key vault, just Service Principal Key with Sharepoint connector. I have not see any blogs or videos on this. I was just wondering if it can be done. Great content and presentation on all your videos. Thanks!
Hey, did you go through MS guide on SharePoint connector? It's available in the documentation, just google it. They explain very nicely what you need to do in terms of permission setup. Thanks for tuning in.
how to copy data from vm to storage account using system managed identities?regularly on daily basis without getting authentication for copying manually.
Nice video Adam, How can we use the managed identities with function app for accessing Storage Account securely? Can you point me in the right direction in this scenario.
Not using bindings yet :( github.com/Azure/azure-functions-host/issues/6423 but you can try this docs.microsoft.com/en-us/samples/azure-samples/functions-storage-managed-identity/using-managed-identity-between-azure-functions-and-azure-storage/?WT.mc_id=AZ-MVP-5003556
Hi Adam.. this was really helpful and very easy to understand! Just obe question from my end - the logic app was able to retrieve the connection to storage account from key vault. Can you please guide me with the step to then connect to the storage account with that connection string and read the file in the storage account?
Of'course. Entire point of managed identity is for service to service communication. Whole video talks about it and all demos are showing service to service communication. In this service A is the one you developed and service B is Microsoft Azure services. But nothing stops you from building service B as well.
No good end to end guides that I found. I think the topic is too long for simple tutorial. Best is to follow this video and then check the MS guides on how to generate token using managed identity and send it with HTTP request. Then separately check guides on how to secure API endpoint with Azure AD authentication. Combine the two to get full picture.
ADF does not support user assigned identities check this document to check which services do support it docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-data-factory-v2?WT.mc_id=AZ-MVP-5003556
Hi Adam, do you know if there is any way to use managed identities accross different tenants? I have only been able to do this using an App registered for multi-tenant use, it seems managed identites can be used only within a single tenant
It depends on who deploys this. If you deploy this from your account then you need to have KV permissions, if you deploy from VM using Managed Identity then the same principle applies. Read more here docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault?WT.mc_id=AZ-MVP-5003556
Nope, Managed Identities don’t support that. Feel free to check FAQ for official statement docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues?WT.mc_id=AZ-MVP-5003556
Hi Adam, I tried following you on logic apps to perform https request and datafactory connections. however those options are not in azure anymore. hope you tell us why? I'm assuming they automate it already or changed its name?
For VM yes since it's running on 169.254.169.254 which suggest IP within the same network. Also probably some of PaaS services work this way too, but I don't think it's publicly stated how they work with MI behind the scenes. On the other hand App Service it's on 127.0. 0.1 suggesting locally running service. In the end, you are right, I changed my example from app service to VM example so I should have moved it out of the 'Virtual Machine' box, although it was meant to be more logical rather than physical, my fault, shouldn't have done that in retrospective. Cheers! I pinned clarification comment under the video, thanks.
Very good tutorial! Thanks alot! Do you know a way to secure the storage account automatically created when creating a function app so that it uses managed identity instead of shared access keys?
Good question Robert, unfortunately last time I checked Managed Identity is not yet supported for WebJobs storage github.com/Azure/azure-webjobs-sdk/issues/2366
@@AdamMarczakYT Thanks Adam, there are several issues with the security of the webjob storage account as it doesn't support activating the storage account firewall. The only way to secure the account is to put it in a VNET but then you loose the serverless option as you need to go with premium SKU . Hope they will fix these issues soon.
Hi Adam, great explanation. I would like to know if I could implement security in the same way explained in video where service A is hosted in non Azure environment and Services B is Azure function http trigger .
You can utilize Managed Identities and connect to a keyvault (if that's what you choose to do) from an external service trying to access a resource within Azure by utilizing Azure Arc. Azure Arc "registers" external to Azure services/resources and can assign an identity to that, to which then you can use similar to an Azure based resource/service. You will have to run a powershell script (which Azure typically supplies to you) on that external service/resource for Azure to properly register it. An example would be a SQL Server instance running on an EC2 in AWS.
Make HTTP call on this REST endpoint. Similarly to JavaScript or PowerShell docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=powershell&WT.mc_id=AZ-MVP-5003556#rest-protocol-examples
@@AdamMarczakYT Thanks for the prompt response. I'm able to get the access token and am making requests to the app configuration API: docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value#list-key-values // App configuration uri resource=".azconfig.io" // Get access token access_token="$(curl -s -H Metadata:true \ "169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=${resource}" | \ jq -r ".access_token")" // Get app config using access token config="$(curl --silent --get \ --header "Authorization: Bearer ${access_token}" \ "${resource}/kv?api-version=1.0")" Unfortunately config is always empty here. Am I missing something?
Without diving deeper, your code looks more or less OK. If you get 200 success response from the last CURL then I'd try different endpoints as per docs docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value?WT.mc_id=AZ-MVP-5003556 maybe this /kv?label=*&api-version={api-version} anyways it should work so you are very close, good luck!
Hi Adam, thanks so much for the video. Could you advise if it is necessary to use managed identity with key vault, or does managed identity render key vault useless within the same architecture? Thanks!
Nice video Adam, How can we use the managed identities by using logic apps as a target resource Windows defender ATP as this is not the service of Azure. Thanks.
Hi, unfortunately I don't know. I'm not windows defender specialist. I would assume not if it's not protected by Azure AD since managed identities come from azure ad. thanks for watching :)
Great tutorial but how to get MSI_ENDPOINT and MSI_SECRET? i want to get the AZ AD token via MSI for my web app using Nodejs, can anyone help me achieve it?
Hey dears! A quick clarification on the video.
For Virtual Machines Managed Identity endpoint is actually running outside of VM and is called IMDS (Azure Instance Metadata service). Old endpoint was located at localhost docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-net-linux-virtual-machine?WT.mc_id=AZ-MVP-5003556 but it was deprated in January 2019. This endpoint is only accessible from within a VM though. My bad here on putting it inside of VM box, it was supposed to be logical not physical boundary. But I was pointed out I said running locally during the video. Thanks Gregory S. for pointing this out.
Oh man, I learned more in 30 minutes from this than in 3 weeks of trying to navigate the Azure docs. Great explanations and demos! ❤
I LOVE the diagrams. Those aid my understanding greatly! Also, the simplicity and clarity of your thoughts is priceless.
Glad it was helpful Joe!
Not only that your videos are very practical, I really like how you explain various concepts, in this case, how you compared three authentication methods in such a clear way. Splendid work, as always, Adam :)
Awesome! Thanks David, I appreciate it 😊
I am a beginner of Azure from Hong Kong, I have been finding a video like this one for a long time, it's straight to the point, within 30 mins you resolved all my questions already. Thank you so much Adam. Plesae keep up your good work.
A big thank you Adam for your detailed explanation and demonstration of Managed Identity, better than any other videos on TH-cam!
Glad it was helpful!
I try to watch other channels, but Adam's way of teaching is unique, is so much cool the way and the time he spends doing such great material. It's incomparable
Adam, I must say you have a super brain to explain such complex Azure feature within just 30 mins and plenty of demos and scenarios. Great work again... Please keep it up... Hope you and your family is safe in whichever geography you live in during current COVID-19 pandemic. Thanks buddy. Love your Azure videos.
Wow, thanks! You too, stay safe! :)
I agree, For a 30mins Video Tutorial like this definitely a "Super Brain"
I was searching for local development settings and Managed Identity a couple of months ago. This is awesome. Thank you Adam 💙
@adam Marczak -- This is the comprehensive lesson of managed identity, you have touched all the topics that I need clarifications with. Wonderful lesson, and thanks for all you have done!!
Thanks for the amazing tutorial, Adam. I like the fact that you cover the concepts along with practicals and its hugely helps the learners,
You're very welcome!
Amazing! I was searching how Azure key vault working with ADF and your video explained it all and more. Thank you!
HI Adam, explanation is very good , short and clean. Hoping i will go through remaining all your videos.
Glad you like them!
Hi Adam, I saw many of your videos, thanks for putting great efforts on your videos, each videos provided very good understanding of azure service along with practical knowledge, I learned a lot from these.
Great to hear that mate :)
Your videos are amazing! You explain everything so clear. In my view that means you have a prefect understanding of what you are doing. Great!!!!
Thanks Adam for explaining Managed Identity with Practical examples. That really helps.
While there's been upgrade in the Key Vault permissions since this video, much of it still makes perfect sense. This was a good overview, Adam! indeed it helped better understand it. Thank you so much.
A great way to present this information. I will surely become a fan of your channel quickly. Thanks again for the great video.
Your presentation and animation is the best i have seen.
Thanks for the amazing tutorial, Adam. I like your videos that you cover az-900 and Active Directory. Your teaching methods are excellent to understand how the services are working on azure. I like all your videos. Please create a more videos on AZ-104..
Top class explanation. Easy to understand if you are just getting started with Azure🌟
@AdamMarczakYT In the last demo of this video @27:21 we are able to get the connection string. As far as I understand one of the reason for using Managed Identity is to discourage sharing/disclosing connection string directly with the developers. Now using this connection string, anyone can get access to the restricted resources. Am I missing anything here 🤔?
Great video Adam, thanks for all the effort that goes into it.
Best video on Managed Identities!
Thanks!! :D
Excellent and pedagogical video - many thanks!
As always, great video Adam. Thanks for bringing such marvelous videos week after week.
My pleasure. It's hard but at the same time it's very satisfying seeing comments like this. Thanks!
Very well explained. It will clear the conception of azure identity.
Hey Adam,
Really I enjoy your every video. I think that your 30 minutes video are more worthful than Pluralsight / Udemy 3 hrs courses.
I have one request , Can you create some video on Docker/ AKS
Wow, thanks! I appreciate that. Container tutorials are a possibility in the future :)
Great video. You make learning Azure fun!
Glad you think so!
Brilliant Adam! Nice job
what if I want to use a user assigned managed identity to connect to Azure Databricks workspace? How am I supposed to get the bearer token for the workspace using this MI? I am planning to do it via external methods like python or powershell, but unable to find any resources. Could you please advise?
I am kind of loving your videos a lot. Every time I want to learn some Azure topic, I just hope you would have one already created on that topic :) Great work. Love your simplicity.
Just a suggestion - From next time if you can show the demo using GUI (like creating a project, downloading Microsoft packages, etc.) that would be a great help for someone who doesn't have programming knowledge. Thanks a lot again!
Great suggestion! Thanks for watching!
Such a great content. You have used every second effectively. Thank you 😊
Happy to hear that!
Loved the tutorial. Great clarity.
Wow Adam!! This is really very helpful!! Thanks a lot for this amazing video 😊
Thanks!
Your content is awesome, I would just like to ask you to add chapters on your videos, it really helps to go back to specific chapters without searching for them manually, your first video had chapters.
That's a good idea! I already have chapters in the new videos once I realized TH-cam supports these, might go back to update them for previous videos :)
as always it was great explanation, thanks for sharing
My pleasure!
Hey, how can I do this using ARM Template. I keep getting an error. If I want to give Blob Storage Contributor Role to my ADF, how to do it? what should be the scope? and how do I give the object/principal id?
Thanks a lot for all your amazing videos.
Glad you like them!
Did I say this guy is awesome? - Your videos are helpful, thank you.
You are very kind! Thank you :)
Thanks Adam for sharing the detailed explanation, very helpful.
My pleasure!
Is it posible to using Managed identities for Microsoft Flow connectors authentication? For example Connector to O365 Outlook for sending email by Flow or Sharepoint Connector to accessing data in SHP? I have tested "service principal" in Power Automate/Flow, but is not posible for sending email or SHP access(only for other some connectors). Maybe Managed Identity can, but any instruction for Flow.
Hello Adam, I have a question. For example, let's say I have a Console application that runs on premise under a service account. Can I create the service account in Azure and assign managed identity to it? Then connect to key vault using that service account from on prem?
Amazing work, Thank you, Adam!
My pleasure!
hey, Where can I find that script, to run on the the app service , to check the access token
Every video comes with samples available on GitHub. Link to relevant repository is always in the video description :) Thanks for watching!
in 7:13 why did you not copy the whole string?
Great Video as always!
Thanks a lot Man
watching this video 15 Dec 2022
api-version is still 7.0
On Azure Data Factory, UI was changed. Go to Manage tab of the left panel -> Linked Services. There is no shortcut for the adding access policy, but we added it previously, it's not needed.
When add role assignment in storage account, after you chose the role go next to Members, select Assign access to Managed identity and select your subscription, then data factory and your ADF name
I like your diagrams in the video. They explain everything so well. What software do you use to create them?
superb explanation pls upload eventgrid with angular application example
interesting idea, noted! Thank you :)
in first demo, why do we not to need to get token from azure ad ?
So we are investigating implementing a similar azure AD application proxy ...IE initial user authentication and then acting as a reverse proxy to the internal web applications
We see this as a requirement to securely allow our employees to access selected internal applications from their own devices from external (internet)
So could you assist please with guidance on how this can be achieved?
Also how we can enable/implement sms and email?
Best video for Azure.
Thank you mate ;)
hi
Adam Marczak, Has Microsoft moved the feature "Access Policy" under "Access Control (IAM)" feature to assign System or User Assigned Identity?
You mean for Key Vault? Key Vault now supports two ways to authorize. Either via Access Policies or via Access Control (RBAC roles). RBAC roles are still in preview though. :)
I am running into problems on how to set the Office 365 side after setting up Data Factory, not using key vault, just Service Principal Key with Sharepoint connector. I have not see any blogs or videos on this. I was just wondering if it can be done. Great content and presentation on all your videos. Thanks!
Hey, did you go through MS guide on SharePoint connector? It's available in the documentation, just google it. They explain very nicely what you need to do in terms of permission setup. Thanks for tuning in.
@@AdamMarczakYT Thanks Adam, I really appreciate it.
Thanks Adam. Awesome video. Clearly explained.
My pleasure!
Great tutorial....just need a little more details about...OpenID/MI Endpoint, please if possible provide some links
thank you.. very nice videos, helped me a lot with AZ900.
U r the man!!.. this is what i was looking for
I hope you meant "man" :D Thanks!
how to copy data from vm to storage account using system managed identities?regularly on daily basis without getting authentication for copying manually.
Nice video Adam, How can we use the managed identities with function app for accessing Storage Account securely? Can you point me in the right direction in this scenario.
Not using bindings yet :( github.com/Azure/azure-functions-host/issues/6423 but you can try this docs.microsoft.com/en-us/samples/azure-samples/functions-storage-managed-identity/using-managed-identity-between-azure-functions-and-azure-storage/?WT.mc_id=AZ-MVP-5003556
@@AdamMarczakYT thanks for the input
very cool explanation! thanks!
Hi Adam.. this was really helpful and very easy to understand! Just obe question from my end - the logic app was able to retrieve the connection to storage account from key vault. Can you please guide me with the step to then connect to the storage account with that connection string and read the file in the storage account?
Hey, check out my Logic Apps tutorial video. It shows how to connect to blob storage from Logic App.
Is it possible to use Managed Identity for service to service authentication (app service A calls app service B)?
Of'course. Entire point of managed identity is for service to service communication. Whole video talks about it and all demos are showing service to service communication. In this service A is the one you developed and service B is Microsoft Azure services. But nothing stops you from building service B as well.
@@AdamMarczakYT Is there some sample code for web app to web app authentication?
No good end to end guides that I found. I think the topic is too long for simple tutorial. Best is to follow this video and then check the MS guides on how to generate token using managed identity and send it with HTTP request. Then separately check guides on how to secure API endpoint with Azure AD authentication. Combine the two to get full picture.
How do we use User assigned Identities for resources which have Managed Identities by default like ADF?
ADF does not support user assigned identities check this document to check which services do support it docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-data-factory-v2?WT.mc_id=AZ-MVP-5003556
Adam, its a great work. Can anyone help me regarding this doubt. My doubt is can we use managed identity with notification hub.
that was very helpful. Thank you very much!
Nailed it , awesome explanation as usual.. keep going !!!
Always! Thank you kindly :)
How can I check whether Managed identity has been used in our web app in Azure? Can you please tell me?
Maybe Azure AD audit logs?
Hi Adam, do you know if there is any way to use managed identities accross different tenants? I have only been able to do this using an App registered for multi-tenant use, it seems managed identites can be used only within a single tenant
Managed Identities are not designed for multi-tenant scenarios. Service Principal /App is currently the only way.
@@AdamMarczakYT thanks for anwering and for all your amazing videos 😊
Nice. Can we have one video on the difference between managed identity and service principal?
Thsnk Adam! I finally understood!!
Awesome, thanks!
Would you need a managed identity for ARM so you can to refer to key vault?
It depends on who deploys this. If you deploy this from your account then you need to have KV permissions, if you deploy from VM using Managed Identity then the same principle applies.
Read more here docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault?WT.mc_id=AZ-MVP-5003556
Hey Adam, nice explanation and to the point. One question, can we add identity object id at key level?
Great Tutorial Adam. Thanks for the videos.
Glad you like them!
hi how can i leverage the managed identity when my resource is in another tenant and my azure AD is in separate tenant?
Nope, Managed Identities don’t support that. Feel free to check FAQ for official statement docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues?WT.mc_id=AZ-MVP-5003556
Hi Adam, I tried following you on logic apps to perform https request and datafactory connections. however those options are not in azure anymore. hope you tell us why? I'm assuming they automate it already or changed its name?
Thanks Adam for wonderfull videos
Glad you like them!
There is no webserver running on machine for metadata store. It's webservice running in Azure but only accessible by non-routable IP address.
For VM yes since it's running on 169.254.169.254 which suggest IP within the same network. Also probably some of PaaS services work this way too, but I don't think it's publicly stated how they work with MI behind the scenes. On the other hand App Service it's on 127.0. 0.1 suggesting locally running service. In the end, you are right, I changed my example from app service to VM example so I should have moved it out of the 'Virtual Machine' box, although it was meant to be more logical rather than physical, my fault, shouldn't have done that in retrospective. Cheers! I pinned clarification comment under the video, thanks.
Very good tutorial! Thanks alot! Do you know a way to secure the storage account automatically created when creating a function app so that it uses managed identity instead of shared access keys?
Good question Robert, unfortunately last time I checked Managed Identity is not yet supported for WebJobs storage github.com/Azure/azure-webjobs-sdk/issues/2366
@@AdamMarczakYT Thanks Adam, there are several issues with the security of the webjob storage account as it doesn't support activating the storage account firewall. The only way to secure the account is to put it in a VNET but then you loose the serverless option as you need to go with premium SKU
. Hope they will fix these issues soon.
I hope so too, I love serverless option but it does add a little complexity when it comes to security.
Hi Adam, great explanation. I would like to know if I could implement security in the same way explained in video where service A is hosted in non Azure environment and Services B is Azure function http trigger .
You can utilize Managed Identities and connect to a keyvault (if that's what you choose to do) from an external service trying to access a resource within Azure by utilizing Azure Arc. Azure Arc "registers" external to Azure services/resources and can assign an identity to that, to which then you can use similar to an Azure based resource/service. You will have to run a powershell script (which Azure typically supplies to you) on that external service/resource for Azure to properly register it. An example would be a SQL Server instance running on an EC2 in AWS.
Great job Adam. Thanks
My pleasure!
How to use managed identity when using PHP which doesn't have an Azure SDK?
Make HTTP call on this REST endpoint. Similarly to JavaScript or PowerShell docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=powershell&WT.mc_id=AZ-MVP-5003556#rest-protocol-examples
@@AdamMarczakYT Thanks for the prompt response. I'm able to get the access token and am making requests to the app configuration API: docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value#list-key-values
// App configuration uri
resource=".azconfig.io"
// Get access token
access_token="$(curl -s -H Metadata:true \
"169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=${resource}" | \
jq -r ".access_token")"
// Get app config using access token
config="$(curl --silent --get \
--header "Authorization: Bearer ${access_token}" \
"${resource}/kv?api-version=1.0")"
Unfortunately config is always empty here. Am I missing something?
Without diving deeper, your code looks more or less OK. If you get 200 success response from the last CURL then I'd try different endpoints as per docs docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value?WT.mc_id=AZ-MVP-5003556 maybe this /kv?label=*&api-version={api-version} anyways it should work so you are very close, good luck!
@@AdamMarczakYT I got it working, thanks. Had not assigned the right access role to the system managed identity.
Thanks Adam, great job on your videos!
Thank you Michell, I appreciate it :)
Good explanation !
Hi Adam, thanks so much for the video. Could you advise if it is necessary to use managed identity with key vault, or does managed identity render key vault useless within the same architecture? Thanks!
Can this be used with SSRS?
Keep posting more videos on Azure AD server
More to come!
I'm watching it a year later -> still good ;-)
THX
Great Tutorial as always. Please make videos on Azure Networking too.
Thanks, will do!
really so informative
I love this feature!
Me too! :) It's just so much simpler to do auth with it.
Excellent.
Thank you! Cheers!
Nice video Adam, How can we use the managed identities by using logic apps as a target resource Windows defender ATP as this is not the service of Azure. Thanks.
Hi, unfortunately I don't know. I'm not windows defender specialist. I would assume not if it's not protected by Azure AD since managed identities come from azure ad. thanks for watching :)
liked the video before watching it !!! Brother, you have my respect \,\,
I appreciate that! That is a big trust and I hope it pays off! Thanks again!
Great Video! ...again
Thank you! Cheers! :)
Great tutorial as usual, Adam. Please what do you use for your architectural diagrams?
Just like a true architect I use PowerPoint :D Thanks for watching!
thanks, this is a great video, ur git repo is very useful for study
Glad you think so!
Great tutorial but how to get MSI_ENDPOINT and MSI_SECRET? i want to get the AZ AD token via MSI for my web app using Nodejs, can anyone help me achieve it?
They are available as environment variables, so use process.env to get them.