%3CLINGO-SUB%20id%3D%22lingo-sub-1939756%22%20slang%3D%22en-US%22%3EHow%20to%20enable%20MSI%20(Managed%20Service%20Identity)%20for%20Batch%20compute%20nodes%20in%20User%20Subscription%20Mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1939756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CU%3EBackground%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECurrently%20we%20can%20enable%20Azure%20Managed%20Identity%20to%20use%20platform-managed%20keys%20or%20customer-managed%20keys%20to%20encrypt%20the%20customer%20data%20which%20is%20stored%20in%20Azure%20Batch%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fbatch%252Fbatch-customer-managed-key%26amp%3Bdata%3D04%257C01%257CYifeng.Zhang%2540microsoft.com%257C422ce9acb3aa40bccf3c08d8812c7527%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637401376024603464%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C2000%26amp%3Bsdata%3DFjd%252BbsbHfKmP%252FxHPODoME9ow8T0d7F%252FpVsA941%252B%252FTn8%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fbatch%2Fbatch-customer-managed-key%3C%2FA%3E.%20However%2C%20the%20managed%20identity%20on%20the%20Batch%20account%20is%20not%20available%20on%20the%20compute%20nodes.%20There%20was%20an%20active%20feature%20request%20submitted%20to%20Azure%20Batch%20team%20and%20Azure%20Active%20Directory%20team%20asking%20for%20supporting%20MSI%20in%20Azure%20Batch%20environment%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%3A%252F%252Ffeedback.azure.com%252Fforums%252F269742-batch%252Fsuggestions%252F33640984-support-managed-service-identity%2523%3A~%3Atext%253DActually%25252C%252520Azure%252520Batch%252520is%252520not%252Cvariables%252520and%252520clear%252520text%252520configuration%26amp%3Bdata%3D04%257C01%257CYifeng.Zhang%2540microsoft.com%257C422ce9acb3aa40bccf3c08d8812c7527%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637401376024603464%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C2000%26amp%3Bsdata%3DuDdO9WTcRtLOa0fzQU2to06onrIHF1XJ1nXOPGa0y8k%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F269742-batch%2Fsuggestions%2F33640984-support-managed-service-identity%23%3A~%3Atext%3DActually%252C%2520Azure%2520Batch%2520is%2520not%2Cvariables%2520and%2520clear%2520text%2520configuration%3C%2FA%3E.%20The%20implementation%20of%20this%20feature%20has%20begun%20but%20there%20is%20no%20ETA%20at%20this%20time.%20As%20an%20optional%20plan%2C%20%26nbsp%3Bwe%20could%20enable%20MSI%20for%20compute%20nodes%20in%20user%20subscription%20mode%20which%20means%20that%20user%20would%20need%20to%20manage%20his%20own%20Virtual%20Machine%20Scale%20Sets%20(VMSS)%20and%20those%20nodes%20are%20in%20MSI%20enabled%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EPurpose%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20user%20subscription%20mode%2C%20customer%20can%20enable%20MSI%20for%20compute%20nodes%20directly%20by%20their%20own.%20Please%20note%20the%20following%20limitations%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERight%20now%20this%20optional%20plan%20is%20only%20valid%20when%20the%20pool%20allocation%20mode%20is%20user%20subscription%20which%20means%20all%20the%20compute%20nodes%20are%20going%20to%20be%20provisioned%20in%20your%20subscription.%20Please%20check%20this%20document%20for%20the%20details%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fbatch%2Fbatch-account-create-portal%23create-a-batch-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fbatch%2Fbatch-account-create-portal%23create-a-batch-account%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EWhen%20these%20Batch%20VMs%20are%20provisioned%20every%20time%2C%20%26nbsp%3Bfor%20example%2C%20Batch%20Service%20creates%20a%20new%20Virtual%20Machine%20Scale%20Sets%20due%20to%20some%20scale%20out%20activity%2C%20you%20are%20required%20to%20enable%20the%20MSI%20manually.%20You%20can%20do%20it%20via%20Portal%2C%20PowerShell%20or%20REST%20API%20.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EPre-requirement%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EPrepare%20an%20Azure%20Batch%20account%20with%20User%20Subscription%20mode%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.jpg%22%20style%3D%22width%3A%20737px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F236576i99EFEEDABB747D41%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221.jpg%22%20alt%3D%221.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorv-mosh21_4%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3ESteps%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ECreate%20a%20new%20pool%20in%20the%20Batch%20account%2C%20the%20VMSS%20will%20be%20added%20to%20your%20subscription%20in%20a%20different%20resource%20group.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F236579iEFCB94536810275A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222.jpg%22%20alt%3D%222.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3EAccess%20to%20the%20resource%20group%20and%20select%20VMSS.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EAccess%20to%20the%20VMSS%20and%20select%20the%20Identity%20tab%20to%20enable%20the%20MSI.%20This%20document%20provides%20more%20information%20about%20enabling%20system-assigned%20managed%20identify%20and%20user-assigned%20managed%20identity%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmail.wicresoft.com%252Fowa%252Fredir.aspx%253FC%253DNN7ySuZUP7SCTF_JFnK0jo0YSBE3vsFz-8mn5BIqmWBjqQvKyHjYCA..%2526URL%253Dhttps%25253a%25252f%25252fdocs.microsoft.com%25252fen-us%25252fazure%25252factive-directory%25252fmanaged-identities-azure-resources%25252fqs-configure-portal-windows-vm%252523enable-system-assigned-managed-identity-on-an-existing-vm%26amp%3Bdata%3D04%257C01%257CYifeng.Zhang%2540microsoft.com%257C422ce9acb3aa40bccf3c08d8812c7527%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637401376024613466%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C2000%26amp%3Bsdata%3DZWLyBUZq67PJTDpI0cq936MGCHfVqF2amEasX1EEZTY%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fqs-configure-portal-windows-vm%23enable-system-assigned-managed-identity-on-an-existing-vm%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223.jpg%22%20style%3D%22width%3A%20968px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F236585i1F5C5BCD17DE5A2C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%223.jpg%22%20alt%3D%223.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EYou%20will%20be%20able%20to%20modify%20the%20role%20assignments.%20In%20my%20example%2C%20I%20assigned%20Owner%20role%20of%20subscription%20in%20the%20Azure%20role%20assignments.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3ERDP%20to%20the%20VMSS%20to%20test%20if%20the%20MSI%20works%20or%20not.%20Now%20I%20can%20get%20the%20token%20to%20list%20the%20information%20of%20my%20resource%20group.%20This%20document%20lists%20the%20PowerShell%20command%20that%20I%20used%20in%20this%20example%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Factive-directory%252Fmanaged-identities-azure-resources%252Ftutorial-windows-vm-access-arm%2523get-an-access-token-using-the-vms-system-assigned-managed-identity-and-use-it-to-call-azure-resource-manager%26amp%3Bdata%3D04%257C01%257CYifeng.Zhang%2540microsoft.com%257C422ce9acb3aa40bccf3c08d8812c7527%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637401376024623449%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C2000%26amp%3Bsdata%3DEEMMHTUSUO%252BAMtehsC1SMFSaQvtA84O5WZS2SyipXts%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Ftutorial-windows-vm-access-arm%23get-an-access-token-using-the-vms-system-assigned-managed-identity-and-use-it-to-call-azure-resource-manager%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%24response%20%3D%20Invoke-WebRequest%20-Uri%20'%3CA%20href%3D%22http%3A%2F%2F169.254.169.254%2Fmetadata%2Fidentity%2Foauth2%2Ftoken%3Fapi-version%3D2018-02-01%26amp%3Bresource%3Dhttps%3A%2F%2Fmanagement.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2F169.254.169.254%2Fmetadata%2Fidentity%2Foauth2%2Ftoken%3Fapi-version%3D2018-02-01%26amp%3Bresource%3Dhttps%3A%2F%2Fmanagement.azure.com%2F%3C%2FA%3E'%20-Method%20GET%20-Headers%20%40%7BMetadata%3D%E2%80%9Dtrue%E2%80%9D%7D%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%24content%20%3D%20%24response.Content%20%7C%20ConvertFrom-Json%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%24ArmToken%20%3D%20%24content.access_token%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E(Invoke-WebRequest%20-Uri%20'%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2Fa2d49d28-b5b1-48fe-83dc-ada50a035a99%2FresourceGroups%2Fmoshi%3Fapi-version%3D2016-06-01%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2Fa2d49d28-b5b1-48fe-83dc-ada50a035a99%2FresourceGroups%2Fmoshi%3Fapi-version%3D2016-06-01%3C%2FA%3E'%20-Method%20GET%20-ContentType%20%22application%2Fjson%22%20-Headers%20%40%7B%20Authorization%3D%22Bearer%20%24ArmToken%22%7D).content%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%224.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F236582iF4DB5E0093BEC5A7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%224.jpg%22%20alt%3D%224.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorv-mosh21_7%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1939756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EWe%20could%20enable%20MSI%20for%20compute%20nodes%20in%20user%20subscription%20mode%20which%20means%20that%20user%20would%20need%20to%20manage%20his%20own%20Virtual%20Machine%20Scale%20Sets%20(VMSS)%20and%20those%20nodes%20are%20in%20MSI%20enabled%20environment.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1939756%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Batch%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Background:

Currently we can enable Azure Managed Identity to use platform-managed keys or customer-managed keys to encrypt the customer data which is stored in Azure Batch: https://docs.microsoft.com/en-us/azure/batch/batch-customer-managed-key. However, the managed identity on the Batch account is not available on the compute nodes. There was an active feature request submitted to Azure Batch team and Azure Active Directory team asking for supporting MSI in Azure Batch environment: https://feedback.azure.com/forums/269742-batch/suggestions/33640984-support-managed-service-identity.... The implementation of this feature has begun but there is no ETA at this time. As an optional plan,  we could enable MSI for compute nodes in user subscription mode which means that user would need to manage his own Virtual Machine Scale Sets (VMSS) and those nodes are in MSI enabled environment.

 

Purpose:

In user subscription mode, customer can enable MSI for compute nodes directly by their own. Please note the following limitations:

  1. Right now this optional plan is only valid when the pool allocation mode is user subscription which means all the compute nodes are going to be provisioned in your subscription. Please check this document for the details: https://docs.microsoft.com/en-us/azure/batch/batch-account-create-portal#create-a-batch-account
  2. When these Batch VMs are provisioned every time,  for example, Batch Service creates a new Virtual Machine Scale Sets due to some scale out activity, you are required to enable the MSI manually. You can do it via Portal, PowerShell or REST API .

Pre-requirement:

  • Prepare an Azure Batch account with User Subscription mode

1.jpg

 

Steps:

  1. Create a new pool in the Batch account, the VMSS will be added to your subscription in a different resource group.

2.jpg

 

  1. Access to the resource group and select VMSS.

 

  1. Access to the VMSS and select the Identity tab to enable the MSI. This document provides more information about enabling system-assigned managed identify and user-assigned managed identity: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-config....

3.jpg

  1. You will be able to modify the role assignments. In my example, I assigned Owner role of subscription in the Azure role assignments.

 

  1. RDP to the VMSS to test if the MSI works or not. Now I can get the token to list the information of my resource group. This document lists the PowerShell command that I used in this example: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-....

 

$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://manage...' -Method GET -Headers @{Metadata=”true”}

$content = $response.Content | ConvertFrom-Json

$ArmToken = $content.access_token

(Invoke-WebRequest -Uri 'https://management.azure.com/subscriptions/a2d49d28-b5b1-48fe-83dc-ada50a035a99/resourceGroups/moshi...' -Method GET -ContentType "application/json" -Headers @{ Authorization="Bearer $ArmToken"}).content

4.jpg

 
1 Comment
Occasional Visitor

@v-mosh21 - a question - I noticed, that if pool is scaled to 0, VMSS and RG is removed. can this be changed so it persists? It's a problem then with assigning permissions to KeyVault or other resources for the Managed Identity, as we need to somehow assign it every time it becomes available/visible in azure.