Using managed identities with Azure Communication Services and Entra ID groups

Question

We are utilizing the Azure Communication Service to send emails from our .Net applications. For this purpose we want to utilize managed identities over key based authentication. However it seems there might be a bug where if we assign the roles to and Entra ID Group that contains the managed identities, the permissions does not work. If we on the other hand assign the roles directly to the managed identities, it works fine.

Is this something, someone else has experienced and perhaps has a workaround for? We can of course assign the roles directly, but we have some groups that some users are dynamically added and removed from that would be nice to be able to maintain.

Answer 1

Hi @Frederik Kirkegaard this is not a bug but a known limitation with Azure role assignments and managed identities within Entra ID groups.

Managed identities are not treated as traditional user or service principal objects within Entra ID groups in the context of role-based access control (RBAC). When you assign a role to a group, it grants permissions to users and service principals that are directly members of that group. Managed identities, however, are a separate identity type.

Like you shared, the most reliable approach is to assign the necessary roles directly to the managed identities. This is the officially supported method.

A potential workaround is to continue assigning roles directly to the managed identities, as you mentioned. However, if you need to manage dynamic group memberships, you might consider using Azure Automation or Azure Functions to automate the role assignments. This way, you can maintain the dynamic nature of your groups while ensuring that the necessary roles are assigned directly to the managed identities.

Hope that helps.

Best,

Grace