Azure Arc server / managed identity / enterprise apps

%3CLINGO-SUB%20id%3D%22lingo-sub-3002584%22%20slang%3D%22en-US%22%3EAzure%20Arc%20server%20%2F%20managed%20identity%20%2F%20enterprise%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3002584%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20looking%20at%20using%20Managed%20Identity%20with%20on-prem%20servers%20that%20run%20enterprise%20applications.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20server%20runs%20multiple%20applications%20that%20has%20their%20own%20app%20registration%20in%20Azure%20Active%20Directory.%26nbsp%3B%20We%20would%20like%20to%20use%20managed%20identity%20so%20that%20the%20applications%20do%20not%20need%20to%20rotate%20their%20client%20secrets.%26nbsp%3B%20Currently%20each%20application%20makes%20calls%20to%20Azure%20resources%20by%20getting%20their%20token%20with%20the%20client%20Id%20and%20secret.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvery%20example%20I%20see%20makes%20it%20look%20like%20you%20can%20use%20the%20server's%20managed%20identity%20to%20get%20access%20tokens%26nbsp%3B%20for%20Azure%20resources%20on%20behalf%20of%20the%20application.%26nbsp%3B%20I've%20seen%20examples%20where%20you%20can%20pass%20a%20user%20defined%20managed%20identity%20client%20id%2C%20so%20I%20assume%20I%20can%20pass%20the%20application's%20client%20Id%20instead.%26nbsp%3B%20%26nbsp%3BBut%20I%20do%20not%20see%20how%20I%20can%20associate%20the%20application's%20Id%20with%20the%20Arc%20Server%20instance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20what%20I%20am%20trying%20to%20do%20possible%3F%26nbsp%3B%20Or%20does%20the%20applications%20need%20to%20access%20Azure%20resources%20as%20the%20Arc%20Server's%20managed%20identity%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3034893%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Arc%20server%20%2F%20managed%20identity%20%2F%20enterprise%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3034893%22%20slang%3D%22en-US%22%3EHi%20Mike%2C%20thanks%20for%20sharing%20your%20scenario!%20Today%2C%20you%20can%20only%20use%20system-assigned%20managed%20identities%20on%20Azure%20Arc-enabled%20servers.%20We're%20always%20looking%20for%20ways%20to%20improve%20Azure%20Arc%20and%20I%20will%20pass%20along%20your%20interest%20in%20user-assigned%20identities%20to%20help%20the%20team%20as%20we%20evaluate%20and%20prioritize%20new%20capabilities.%3C%2FLINGO-BODY%3E
Occasional Visitor

We are looking at using Managed Identity with on-prem servers that run enterprise applications.

 

The server runs multiple applications that has their own app registration in Azure Active Directory.  We would like to use managed identity so that the applications do not need to rotate their client secrets.  Currently each application makes calls to Azure resources by getting their token with the client Id and secret.

 

Every example I see makes it look like you can use the server's managed identity to get access tokens  for Azure resources on behalf of the application.  I've seen examples where you can pass a user defined managed identity client id, so I assume I can pass the application's client Id instead.   But I do not see how I can associate the application's Id with the Arc Server instance.

 

Is what I am trying to do possible?  Or does the applications need to access Azure resources as the Arc Server's managed identity?

1 Reply
Hi Mike, thanks for sharing your scenario! Today, you can only use system-assigned managed identities on Azure Arc-enabled servers. We're always looking for ways to improve Azure Arc and I will pass along your interest in user-assigned identities to help the team as we evaluate and prioritize new capabilities.