Support for user-assigned managed identity in Azure Data Factory

Published Oct 13 2021 01:45 AM 1,378 Views
Microsoft

Credential safety is crucial for any enterprise. With that in mind, the Azure Data Factory (ADF) team is committed to making the data engineering process secure yet simple for data engineers.

 

We are excited to announce the support for user-assigned managed identity (Preview) in all connectors/ linked services that support Azure Active Directory (Azure AD) based authentication.

 

 

A quick recap on Managed Identities, Service Principal, User vs Service accounts: 

Typically, for running operationalized workflows/ data pipelines, you are suggested to use service accounts for authentication rather than user accounts to easily manage production workloads and ensure those workloads do not depend on a single data engineer's credentials. Since user account 'credentials' can change over time and cause data pipeline failures in production, the recommendation is to use Service Principals/ Managed Identities. Service Principals are analogous to service accounts.

 

Challenges with using Service account/ Service Principal:

  • Leaked/ stolen credentials
  • Expired credentials
  • Require auto-rotation for compliance
  • Lifecycle management of service accounts and its credentials are not easy, causing security risk if not cleaned up and need to be manually deleted after use.

  

Solution: Managed identities for Azure resources

You can build password-less data pipelines while using Azure AD authentication. It also means that data engineers do not need data store credentials/ superuser credentials; hence privileged credential abuse can be easily mitigated.

 

Managed identities for Azure resources provides Azure Data Factory with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate any service that supports Azure AD authentication (Azure Storage, Synapse Analytics, etc.) without having credentials referenced in your data pipelines (linked service definitions).

 

There are two types of managed identities:

  1. System-assigned - ADF already supports system-assigned managed identity since its inception. When you create an ADF instance, an identity is created in Azure AD that is tied to the lifecycle of that ADF instance. For more details, refer to the doc.
  2. User-assigned - We are adding support for user-assigned managed identity. You can create a user-assigned managed identity and assign it to one or more instances of an ADF. In the case of user-assigned managed identities, the identity is managed separately from the resources used.

 

When to use system-assigned vs user-assigned managed identity?

Let's understand the scope of the different managed identities - 

 

System-assigned

User-assigned

Lifecycle

Tied to the particular ADF instance

Independent of ADF instance

Reuse

Since it's per ADF instance, it cannot be shared across resources

It can be shared with multiple ADF instances.

Management

Service created

Customer created

 

  • You have to grant permissions to each system-assigned managed identity that you have in the respective data stores. At times, this can be overwhelming if you have over many (say 100+) ADF instances. Also, if access needs to be revoked in case of a security breach/ incident, it needs to be done for all the identities. User-assigned managed identity helps here since you can decouple the identity from the ADF instance, which eases the management by not requiring multiple-permission granting.

 

  • If you do not want to bother creating a new Azure AD identity/ user-assigned managed identity manually and manage it, then use system-assigned. 

 

What if my datastore does not support AAD-based authentication/ Managed identities?

Not to worry! For data stores that do not support AAD-based authentication/ Managed identities, you can store those credentials in Azure Key Vault. ADF can reference those credentials during the pipeline run as and when needed using the respective system-assigned managed identity or user-assigned managed identity.

 

Get Started with user-assigned managed identity in ADF:

  1. Associate an existing user-assigned managed identity with the ADF instance.
    • It can be done through Azure Portal --> ADF instance --> Managed identities --> Add user-assigned managed identity.
      AbhishekNarain_1-1634113126908.png

       


      You can also associate the identity from step 2 as well.

  2. Create new credential with type 'user-assigned'. ADF UI --> Manage hub --> Credentials --> New.AbhishekNarain_2-1634113228829.png

     

  3. Create linked service and choose user-assigned managed identity under authentication type, and select the credential item.
    AbhishekNarain_0-1634114841964.png

     

Reference: 

 

 

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2841013%22%20slang%3D%22en-US%22%3ESupport%20for%20user-assigned%20managed%20identity%20in%20Azure%20Data%20Factory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841013%22%20slang%3D%22en-US%22%3E%3CP%3ECredential%20safety%20is%20crucial%20for%20any%20enterprise.%20With%20that%20in%20mind%2C%20the%20Azure%20Data%20Factory%20(ADF)%20team%20is%20committed%20to%20making%20the%20data%20engineering%20process%20secure%20yet%20simple%20for%20data%20engineers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWe%20are%20excited%20to%20announce%20the%20support%20for%20user-assigned%20managed%20identity%20(Preview)%20in%20all%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fconnector-overview%23supported-data-stores%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Econnectors%3C%2FA%3E%2F%20linked%20services%20that%20support%20Azure%20Active%20Directory%20(Azure%20AD)%20based%20authentication.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--2121786096%22%20id%3D%22toc-hId--2121786092%22%3EA%20quick%20recap%20on%20Managed%20Identities%2C%20Service%20Principal%2C%20User%20vs%20Service%20accounts%3A%26nbsp%3B%3C%2FH3%3E%0A%3CP%3ETypically%2C%20for%20running%20operationalized%20workflows%2F%20data%20pipelines%2C%20you%20are%20suggested%20to%20use%20service%20accounts%20for%20authentication%20rather%20than%20user%20accounts%20to%20easily%20manage%20production%20workloads%20and%20ensure%20those%20workloads%20do%20not%20depend%20on%20a%20single%20data%20engineer's%20credentials.%20Since%20user%20account%20'credentials'%20can%20change%20over%20time%20and%20cause%20data%20pipeline%20failures%20in%20production%2C%20the%20recommendation%20is%20to%20use%20Service%20Principals%2F%20Managed%20Identities.%20Service%20Principals%20are%20analogous%20to%20service%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-365726737%22%20id%3D%22toc-hId-365726741%22%3EChallenges%20with%20using%20Service%20account%2F%20Service%20Principal%3A%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3ELeaked%2F%20stolen%20credentials%3C%2FLI%3E%0A%3CLI%3EExpired%20credentials%3C%2FLI%3E%0A%3CLI%3ERequire%20auto-rotation%20for%20compliance%3C%2FLI%3E%0A%3CLI%3ELifecycle%20management%20of%20service%20accounts%20and%20its%20credentials%20are%20not%20easy%2C%20causing%20security%20risk%20if%20not%20cleaned%20up%20and%20need%20to%20be%20manually%20deleted%20after%20use.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1441727726%22%20id%3D%22toc-hId--1441727722%22%3ESolution%3A%20Managed%20identities%20for%20Azure%20resources%3C%2FH3%3E%0A%3CP%3EYou%20can%20build%20password-less%20data%20pipelines%20while%20using%20Azure%20AD%20authentication.%20It%20also%20means%20that%20data%20engineers%20do%20not%20need%20data%20store%20credentials%2F%20superuser%20credentials%3B%20hence%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.forbes.com%2Fsites%2Flouiscolumbus%2F2019%2F02%2F26%2F74-of-data-breaches-start-with-privileged-credential-abuse%2F%3Fsh%3D4048bf683ce4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eprivileged%20credential%20abus%3C%2FA%3Ee%20can%20be%20easily%20mitigated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EManaged%20identities%20for%20Azure%20resources%20provides%20Azure%20Data%20Factory%20with%20an%20automatically%20managed%20identity%20in%20Azure%20Active%20Directory.%20You%20can%20use%20this%20identity%20to%20authenticate%20any%20service%20that%20supports%20Azure%20AD%20authentication%20(Azure%20Storage%2C%20Synapse%20Analytics%2C%20etc.)%20without%20having%20credentials%20referenced%20in%20your%20data%20pipelines%20(linked%20service%20definitions).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20types%20of%20managed%20identities%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSTRONG%3ESystem-assigned%3C%2FSTRONG%3E%20-%20ADF%20already%20supports%20system-assigned%20managed%20identity%20since%20its%20inception.%20When%20you%20create%20an%20ADF%20instance%2C%20an%20identity%20is%20created%20in%20Azure%20AD%20that%20is%20tied%20to%20the%20lifecycle%20of%20that%20ADF%20instance.%20For%20more%20details%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fdata-factory-service-identity%23system-assigned-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Erefer%20to%20the%20doc%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EUser-assigned%3C%2FSTRONG%3E%20-%20We%20are%20adding%20support%20for%20user-assigned%20managed%20identity.%20You%20can%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fhow-to-manage-ua-identity-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ecreate%20a%20user-assigned%20managed%20identity%3C%2FA%3E%26nbsp%3Band%20assign%20it%20to%20one%20or%20more%20instances%20of%20an%20ADF.%20In%20the%20case%20of%20user-assigned%20managed%20identities%2C%20the%20identity%20is%20managed%20separately%20from%20the%20resources%20used.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1045785107%22%20id%3D%22toc-hId-1045785111%22%3EWhen%20to%20use%20system-assigned%20vs%20user-assigned%20managed%20identity%3F%3C%2FH3%3E%0A%3CP%3ELet's%20understand%20the%20scope%20of%20the%20different%20managed%20identities%20-%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22105.125px%22%20height%3D%2230px%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22338.047px%22%20height%3D%2230px%22%3E%3CP%3E%3CEM%3ESystem-assigned%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22254.828px%22%20height%3D%2230px%22%3E%3CP%3E%3CEM%3EUser-assigned%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22105.125px%22%20height%3D%2230px%22%3E%3CP%3E%3CEM%3ELifecycle%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22338.047px%22%20height%3D%2230px%22%3E%3CP%3ETied%20to%20the%20particular%20ADF%20instance%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22254.828px%22%20height%3D%2230px%22%3E%3CP%3EIndependent%20of%20ADF%20instance%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22105.125px%22%20height%3D%2257px%22%3E%3CP%3E%3CEM%3EReuse%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22338.047px%22%20height%3D%2257px%22%3E%3CP%3ESince%20it's%20per%20ADF%20instance%2C%20it%20cannot%20be%20shared%20across%20resources%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22254.828px%22%20height%3D%2257px%22%3E%3CP%3EIt%20can%20be%20shared%20with%20multiple%20ADF%20instances.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22105.125px%22%20height%3D%2230px%22%3E%3CP%3E%3CEM%3EManagement%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22338.047px%22%20height%3D%2230px%22%3E%3CP%3EService%20created%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22254.828px%22%20height%3D%2230px%22%3E%3CP%3ECustomer%20created%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20have%20to%20grant%20permissions%20to%20each%20system-assigned%20managed%20identity%20that%20you%20have%20in%20the%20respective%20data%20stores.%20At%20times%2C%20this%20can%20be%20overwhelming%20if%20you%20have%20over%20many%20(say%20100%2B)%20ADF%20instances.%20Also%2C%20if%20access%20needs%20to%20be%20revoked%20in%20case%20of%20a%20security%20breach%2F%20incident%2C%20it%20needs%20to%20be%20done%20for%20all%20the%20identities.%20User-assigned%20managed%20identity%20helps%20here%20since%20you%20can%20decouple%20the%20identity%20from%20the%20ADF%20instance%2C%20which%20eases%20the%20management%20by%20not%20requiring%20multiple-permission%20granting.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIf%20you%20do%20not%20want%20to%20bother%20creating%20a%20new%20Azure%20AD%20identity%2F%20user-assigned%20managed%20identity%20manually%20and%20manage%20it%2C%20then%20use%20system-assigned.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--761669356%22%20id%3D%22toc-hId--761669352%22%3EWhat%20if%20my%20datastore%20does%20not%20support%20AAD-based%20authentication%2F%20Managed%20identities%3F%3C%2FH3%3E%0A%3CP%3ENot%20to%20worry!%20For%20data%20stores%20that%20do%20not%20support%20AAD-based%20authentication%2F%20Managed%20identities%2C%20you%20can%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fstore-credentials-in-key-vault%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Estore%20those%20credentials%20in%20Azure%20Key%20Vault%3C%2FA%3E.%20ADF%20can%20reference%20those%20credentials%20during%20the%20pipeline%20run%20as%20and%20when%20needed%20using%20the%20respective%20system-assigned%20managed%20identity%20or%20user-assigned%20managed%20identity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1725843477%22%20id%3D%22toc-hId-1725843481%22%3EGet%20Started%20with%20user-assigned%20managed%20identity%20in%20ADF%3A%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%3EAssociate%20an%20existing%20user-assigned%20managed%20identity%20with%20the%20ADF%20instance.%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%3EIt%20can%20be%20done%20through%20Azure%20Portal%20--%26gt%3B%20ADF%20instance%20--%26gt%3B%20Managed%20identities%20--%26gt%3B%20Add%20user-assigned%20managed%20identity.%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AbhishekNarain_1-1634113126908.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316981i798F6778FD090090%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AbhishekNarain_1-1634113126908.png%22%20alt%3D%22AbhishekNarain_1-1634113126908.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBR%20%2F%3EYou%20can%20also%20associate%20the%20identity%20from%20step%202%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CLI%3ECreate%20new%20credential%20with%20type%20'user-assigned'.%20ADF%20UI%20--%26gt%3B%20Manage%20hub%20--%26gt%3B%20Credentials%20--%26gt%3B%20New.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AbhishekNarain_2-1634113228829.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316983i769609149BF051F6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AbhishekNarain_2-1634113228829.png%22%20alt%3D%22AbhishekNarain_2-1634113228829.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3ECreate%20linked%20service%20and%20choose%20user-assigned%20managed%20identity%20under%20authentication%20type%2C%20and%20select%20the%20credential%20item.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AbhishekNarain_0-1634114841964.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316994iC245E009B6F8248E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AbhishekNarain_0-1634114841964.png%22%20alt%3D%22AbhishekNarain_0-1634114841964.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId--81610986%22%20id%3D%22toc-hId--81610982%22%3EReference%3A%26nbsp%3B%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fdata-factory-service-identity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EManaged%20identities%20in%20data%20factory%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fdata-factory-service-identity%23user-assigned-managed-identity%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECredentials%20and%20user-assigned%20managed%20identity%20in%20data%20factory%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fconnector-azure-blob-storage%3Ftabs%3Ddata-factory%23user-assigned-managed-identity-authentication%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EUser-assigned%20managed%20identity%20in%20Azure%20Storage%20linked%20service%20(example).%26nbsp%3B%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2841013%22%20slang%3D%22en-US%22%3E%3CP%3EBring%20your%20user-assigned%20managed%20identity%20to%20securely%20access%20data%20stores%20using%20AAD%20authentication%20from%20Data%20Factory.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2841013%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Data%20Factory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Oct 13 2021 03:27 PM
Updated by: