System-Assigned and User-Assigned Managed Identities
Learn On Demand
Learn On Demand Pro Series

Time
1 hour
Difficulty
Intermediate

This IT Pro Challenges virtual lab teaches learners how to create, convert, and deploy a VM to use a user-assigned managed identity. Learners will gain experience using a virtual machine to configure the managed identities. Skills learned in this lab are valuable in multiple job roles such as system administrator and Azure administrator.

Join over 2 million IT and cyber professionals advancing their careers

OR

Sign up with Google

Already have an account? Sign In »

Overview

A user-assigned managed identity is designed as a standalone Azure resource. Azure generates an identity in the Azure AD holder that's assigned by the subscription in use. After the identity is built, the identity can be allocated to one or more Azure service instances.

In this hands-on virtual lab, learners will enable system-assigned, and user-assigned managed identities using a virtual machine and then assign appropriate permissions. They will create a virtual machine and then convert a VM to use a user-assigned managed identity. The other guided challenges in this series are "Use Managed Identities" and "Configure Continuous Deployment Using GIT and Deployment Slots."

Understand the Scenario

In this lab, you are a system administrator for a company that is migrating its web services from its datacenter to Azure. Your job is to deploy an Azure VM and enable managed identities. Specifically, you need to enable and test a system-assigned managed identity, then convert it to a user-assigned managed identity, as a proof of concept. To accomplish this task, you will use an Azure resource group that initially contains no resources. You will create the necessary resources to complete the challenge.

Create an Azure VM with a system-assigned managed identity

Managed identities for Azure resources give Azure services with an automatically controlled identity in Azure Active Directory. Applying a managed identity, users can verify to any setting that carries Azure AD authentication without having credentials in the code. In this section of the lab, first, you will create an Azure VM and configure the VM to use Windows Server 2016 Datacenter. Next, you will set the size of the VM to Standard B2s with HDD managed disks and enable RDP access and create a Server admin user and then turn off the Auto Shutdown option and disable all Monitoring options. For Identity, you will enable System assigned managed identity and connect to the VM by using RDP and verify that the VM is running and available. Finally, you will verify that you have created the VM successfully.

Grant permissions to a managed identity

Using managed identities for Azure, the code can access tokens to verify resources that assist Azure AD authentication. The Azure Resource Manager maintains Azure AD authentication. In this section of the lab, you will grant permission to a managed identity. For the resource group, you will assign the LOD Reader role to the virtual machine and verify that the role has been assigned successfully to the system-assigned managed identity for the VM. Note that the LOD Reader role is a custom role with a subset of permissions of the built-in Reader role. The built-in Reader role is restricted in the LOD Cloudslice environment. For this challenge, the LOD Reader role provides the necessary permissions to read the resource group properties as a proof of concept.

Convert a VM to use a user-assigned managed identity

In this section of the lab, learners will convert a VM to use a user-assigned managed identity. First, you will create a User Assigned Managed Identity in the East US location. For the resource group, you will assign the LOD Reader role to the user-assigned managed identity and verify that the Role Assignment was successful. Next, you will change the Identity properties of the VM by removing the system-assigned managed identity and adding the user-assigned managed identity. Finally, you will check and verify that the user-assigned managed identity was assigned permissions successfully.

Verify a managed identity access token

In this section of the lab, learners will verify a managed identity access token. First, they will connect to the VM by using RDP and the username. This connection should be open as a result of a task you completed earlier in this challenge. Within the RDP session, you will launch a * Windows PowerShell* command-line session and request the managed identity to receive an access token for the Azure Resource Manager (ARM) endpoint by using the Invoke-WebRequest cmdlet and the following code. Next, you will extract the full response, which is stored in JSON format in the $response variable, and then extract the ARM access token from the response. Next, you will call ARM with the access token by replacing SUBSCRIPTIONID and RESOURCEGROUP as appropriate. Finally, you will verify that the call succeeds and shows the resource group properties using the managed identity.

Lab Summary Conclusion

After completing the "System-Assigned and User-Assigned Managed Identities" virtual lab, you will have accomplished the following:

  • Created an Azure VM with a system-assigned managed identity.
  • Granted permissions to a managed identity.
  • Converted a VM to use a user-assigned managed identity.
  • Verified a managed identity access token.