Use managed identities with the de-identification service
Managed identities provide Azure services with a secure, automatically managed identity in Microsoft Entra ID. Using managed identities eliminates the need for developers to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. The de-identification service supports both.
Managed identities can be used to grant the de-identification service access to your storage account for batch processing. In this article, you learn how to assign a managed identity to your de-identification service.
Prerequisites
- Understand the differences between system-assigned and user-assigned managed identities, described in What are managed identities for Azure resources?
- A de-identification service in your Azure subscription. If you don't have a de-identification service, follow the steps in Quickstart: Deploy the de-identification service.
Create an instance of the de-identification service in Azure Health Data Services with a system-assigned managed identity
- Access the de-identification service settings in the Azure portal under the Security group in the left navigation pane.
- Select Identity.
- Within the System assigned tab, switch Status to On and choose Save.
Assign a user-assigned managed identity to a service instance
- Create a user-assigned managed identity resource according to these instructions.
- In the navigation pane of your de-identification service, scroll to the Security group.
- Select Identity.
- Select the User assigned tab, and then choose Add.
- Search for the identity you created, select it, and then choose Add.
Supported scenarios using managed identities
Managed identities assigned to the de-identification service can be used to allow access to Azure Blob Storage for batch de-identification jobs. The service acquires a token as the managed identity to access Blob Storage, and de-identify blobs that match a specified pattern. For more information, including how to grant access to your managed identity, see Quickstart: Azure Health De-identification client library for .NET.
Clean-up steps
When you remove a system-assigned identity, you delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the de-identification service, described as follows.
- In the navigation pane of your de-identification service, scroll down to the Security group.
- Select Identity, then follow the steps based on the identity type:
- System-assigned identity: Within the System assigned tab, switch Status to Off, and then choose Save.
- User-assigned identity: Select the User assigned tab, select the checkbox for the identity, and select Remove. Select Yes to confirm.