| title | description | author | manager | editor | ms.custom | ms.service | ms.subservice | ms.topic | ms.tgt_pltfrm | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|
Tutorial: Use managed identity to access Azure Resource Manager - Windows |
A tutorial that walks you through the process of using a Windows VM system-assigned managed identity to access Azure Resource Manager. |
barclayn |
amycolannino |
daveba |
subject-rbac-steps, mode-other, devx-track-arm-template |
entra-id |
managed-identities |
tutorial |
na |
10/30/2022 |
barclayn |
[!INCLUDE preview-notice]
This tutorial shows you how to access the Azure Resource Manager API using a Windows virtual machine with system-assigned managed identity enabled. Managed identities for Azure resources are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication without needing to insert credentials into your code. You learn how to:
[!div class="checklist"]
- Grant your VM access to a Resource Group in Azure Resource Manager
- Get an access token using the VM identity and use it to call Azure Resource Manager
- A basic understanding of Managed identities. If you're not familiar with the managed identities for Azure resources feature, see this overview.
- An Azure account, sign up for a free account.
- "Owner" permissions at the appropriate scope (your subscription or resource group) to perform required resource creation and role management steps. If you need assistance with role assignment, see Assign Azure roles to manage access to your Azure subscription resources.
- You also need a Windows Virtual machine that has system assigned managed identities enabled.
- If you need to create a virtual machine for this tutorial, you can follow the article titled Create a virtual machine with system-assigned identity enabled
[!INCLUDE msi-tut-enable]
[!INCLUDE portal updates]
Using managed identities for Azure resources, your application can get access tokens to authenticate to resources that support Microsoft Entra authentication. The Azure Resource Manager API supports Microsoft Entra authentication. We grant this VM's identity access to a resource in Azure Resource Manager, in this case a Resource Group. We assign the Reader role to the managed-identity at the scope of the resource group.
- Sign in to the Azure portal with your administrator account.
- Navigate to the tab for Resource Groups.
- Select the Resource Group you want to grant the VM's managed identity access.
- In the left panel, select Access control (IAM).
- Select Add, and then select Add role assignment.
- In the Role tab, select Reader. This role allows view all resources, but doesn't allow you to make any changes.
- In the Members tab, for the Assign access to, select Managed identity. Then, select + Select members.
- Ensure the proper subscription is listed in the Subscription dropdown. And for Resource Group, select All resource groups.
- For the Manage identity dropdown, select Virtual Machine.
- Finally, in Select choose your Windows Virtual Machine in the dropdown and select Save.
Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager
You'll need to use PowerShell in this portion. If you don’t have PowerShell installed, download it here.
-
In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, select Connect.
-
Enter in your Username and Password for which you added when you created the Windows VM.
-
Now that you've created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.
-
Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager.
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}
[!NOTE] The value of the "resource" parameter must be an exact match for what is expected by Microsoft Entra ID. When using the Azure Resource Manager resource ID, you must include the trailing slash on the URI.
Next, extract the full response, which is stored as a JavaScript Object Notation (JSON) formatted string in the $response object.
$content = $response.Content | ConvertFrom-Json
Next, extract the access token from the response.
$ArmToken = $content.access_token
Finally, call Azure Resource Manager using the access token. In this example, we're also using the Invoke-WebRequest cmdlet to make the call to Azure Resource Manager, and include the access token in the Authorization header.
(Invoke-WebRequest -Uri https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $ArmToken"}).content
[!NOTE] The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase "G" in "resourceGroups."
The following command returns the details of the Resource Group:
{"id":"/subscriptions/98f51385-2edc-4b79-bed9-7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"westus","properties":{"provisioningState":"Succeeded"}}
In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. To learn more about Azure Resource Manager see:
[!div class="nextstepaction"] Azure Resource Manager