In this IT Pro Challenge, you will use the Azure portal and Remote Desktop Protocol (RDP) to create and verify a virtual machine with a system-assigned managed identity. You will also assign a role to the virtual machine, which grants permissions to the managed identity and make a request to the managed identity to receive an access token. This lab helps develop knowledge of network access, identity, and access management, which is important for careers in system administration, system security, or as a database administrator.

Overview

The scenario for this virtual lab is that you are a system administrator, and your company is migrating its web services from an on-premise datacenter to Azure. Your job is to deploy an Azure virtual machine and enable managed identities. As proof of concept, you will enable and test a system-assigned managed identity.

A system-assigned managed identity allows Azure resources to authenticate to the Azure Key Vault without storing credentials in code. Once you enable system-assigned managed identities, all permissions are granted via Azure Role-Based Access Control (RBAC).

Create an Azure VM with a system-assigned managed identity

To begin, launch the Azure portal and create a virtual machine that uses Windows Server 2016 Datacenter. Enable System-assigned managed identity and then use Remote Desktop Protocol (RDP) to connect to the virtual machine and verify its availability.

Grant permissions to a managed identity

For the provided Azure resource group, you need to assign the LOD Reader role to the virtual machine. To do this, go to the Azure portal and navigate to the resource group blade and use the Access Control (IAM) page to assign the LOD Reader role to the virtual machine.

Verify a managed identity access token

On the first Azure virtual machine, launch an RDP session, and open the Windows PowerShell command-line interface. Now you need to use the Invoke-webRequest cmdlet to make a request to the managed identity to receive an access token for the Azure Resource Manager (ARM) endpoint:

$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}

Extract the full response, which is stored in JSON format in the $response variable, by using the following code: $content = $response.Content | ConvertFrom-Json. Then extract the ARM access token from the response by using the following code: $ArmToken = $content.access_token.

Finally, you will call ARM with the access token by using the following code, replacing SUBSCRIPTION_ID and RESOURCE_GROUP as appropriate:

(Invoke-WebRequest -Uri https://management.azure.com/subscriptions/SUBSCRIPTION_ID>/resourceGroups/RESOURCE_GROUP?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $ArmToken"}).content

Remove permissions from a managed identity

Finally, in the Azure portal, remove the role assignment from the provided Azure resource group on the second virtual machine. Then, you will return to the RDP session on the virtual machine with Windows PowerShell and enter the following command once more:

(Invoke-WebRequest -Uri https://management.azure.com/subscriptions/8d7ebc7f-6c63-47b5-bbdc-6df02452b2bd/resourceGroups/corp-datalod12693745?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $ArmToken"}).content

Now you will see the failure after the permissions are removed.

Summary Conclusion

By taking this virtual lab, you will learn how to use the Azure portal to create an Azure virtual machine with a system-assigned identity, grant permissions to a managed identity, and use Windows PowerShell to verify a managed identity access token. As a proof of concept, you will remove permissions from a managed identity to see the difference after those permissions are removed.

‍