1

I have created an user-assigned identity using account A@hotmail.com and copied the clientid. After this I have assigned a role to this identity on a particular storage account. Also I have added this user-assigned identity to an azure function. Now I trying to execute some code through visual studio and my login account is B@hotmail.com. I have below piece of code

    string userAssignedClientId = "<your managed identity client Id>";                    
    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {ManagedIdentityClientId = userAssignedClientId });                                       
    var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"), credential);

Now my question is how DefaultAzureCredential will do authentication? Will it allow user with account B@hotmail.com to use clientid created using account A@hotmail.com

Pulkit Sharma
  • 390
  • 2
  • 14
  • can [this section](https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#defaultazurecredential) help you? – Tiny Wang Apr 11 '23 at 07:36
  • @TinyWang this article says "Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account." What is "that account" here ? – Pulkit Sharma Apr 11 '23 at 08:26
  • I don't find a document explain what is the account here, but I'm afraid here the account may point to the account created the user managed identity or the user managed identity itself. https://i.stack.imgur.com/IRs5S.png – Tiny Wang Apr 11 '23 at 08:27
  • you may take a look at the video in this document to learn about managed identity. According to your code snippet, I'm afraid you already watched it. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview – Tiny Wang Apr 11 '23 at 08:30
  • `Will it allow user with account B@hotmail.com to use clientid created using account A@hotmail.com` using managed identity means your application won't manage any credential. so for example, you have an azure function which used managed identity to access azure key vault, then the function has a http trigger which allows anonymous visiting, then no matter userA or userB should all be able to access this key vault via this function. – Tiny Wang Apr 11 '23 at 08:44

1 Answers1

0

Thanks @ Tiny Wang for the comment.

Azure managed identity accessing from different account

We have to use the same Azure Account which you have created the Managed identity. If Managed Identity is Enabled , and you are using DefaultAzureCredential, then the application will look for the Azure credentials which are used for creating the Managed Identity.

What is "that account" here ?

As mentioned by Tiny Wang Here that account is referred as the Azure Account in which you have created the Managed Identity.

  • When the Application is running locally, it uses the VisualStudio,VSCode, Azure CLI or Powershell Authentication.

  • When the Application is deployed it uses the Managed Identity Authentication.

As mentioned in the MSDoc, DefaultAzureCredential will follow the order of Authentication.

If any of the Authentication is completed and satisfied, it stops the how DefaultAzureCredential will do authentication?process.

Check the below workaround how ManagedIdentityCredential works in your scenario.

  • I have created a Managed Identity with one Azure account. enter image description here

  • And in Visual Studio I have logged in with different Azure Account.

enter image description here

enter image description here

When I tried to run with your code, I didn't get any error.

From this I understood that as we have mentioned Managed Identity,the authentication is taking Azure Credentials of the created Managed Identity account irrespective of the Visual Studio Account.

But it may impact the access level of Azure resources. So, it is better to go with the same account.

Harshitha
  • 3,784
  • 2
  • 4
  • 9
  • Thanks for your answer. I have doubt in your statement "From this I understood that as we have mentioned Managed Identity,the authentication is taking Azure Credentials of the created Managed Identity account irrespective of the Visual Studio Account." . Will this still works if we remove that account ( account from which we have created Managed Identity ) from "all accounts" list. – Pulkit Sharma Apr 12 '23 at 07:28
  • Yes,you can see the same as I have mentioned in the screen shot. – Harshitha Apr 12 '23 at 07:33
  • So anyone having the clientId of ManagedIdentity can access the blob container and can do operation ( based on the role assigned to the identity) ? . – Pulkit Sharma Apr 12 '23 at 08:51
  • AFAIK, yes, if they have required role assigned to the Managed Identity they can access if ClientID is available with them, with the required permissions on the container as well. – Harshitha Apr 12 '23 at 08:53