Blog Post

Azure Governance and Management Blog
4 MIN READ

User-Assigned Identity-based Access for Machine Configuration Packages – Generally Available

mutemwamasheke's avatar
mutemwamasheke
Icon for Microsoft rankMicrosoft
Nov 20, 2024

Azure Machine Configuration now supports User Assigned Identities for private access to configuration packages in Azure Storage, enhancing your cloud security and management.

Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Polic...
Updated Nov 20, 2024
Version 1.0
governance
guest configuration
policy
Cyr-Az's avatar
Cyr-Az
Copper Contributor
Dec 01, 2024

Nice improvement!

But why not use the system managed identity? Since the guest config extension runs as a local service inside the VM, shouldn't that be possible?

  • mutemwamasheke's avatar
    mutemwamasheke
    Icon for Microsoft rankMicrosoft
    Dec 02, 2024

    Hey! The main constraints are: 1) there is a 2000 role assignment limit per subscription for system-assigned identities 2) there can only be one system assigned identity per machine making it infeasible to assign each individual machine to a storage account. User Assigned Identities are scalable to a larger set of machines and only need one identifier :)

    • bkirk's avatar
      bkirk
      Copper Contributor
      Jun 16, 2025

      But you can assign the System Managed Identities to a group and add this group to the storage account. This is actually what we do with our Arc Servers to give access to certain blobs in a storage account. As far as I can see this would be alt least as flexible and simple as using a user assigned managed identity!?

      Is it NOT possible to use the System Managed Identity at all?! I can see that there is a pull request in github (https://github.com/Azure/GuestConfiguration/pull/309), but no comments or anything for 2 months!