Use managed identities with the de-identification service

Managed identities provide Azure services with a secure, automatically managed identity in Microsoft Entra ID. Using managed identities eliminates the need for developers to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. The de-identification service supports both.

Managed identities can be used to grant the de-identification service access to your storage account for batch processing. In this article, you learn how to assign a managed identity to your de-identification service.

Prerequisites

Create an instance of the de-identification service in Azure Health Data Services with a system-assigned managed identity

  1. Access the de-identification service settings in the Azure portal under the Security group in the left navigation pane.
  2. Select Identity.
  3. Within the System assigned tab, switch Status to On and choose Save.

Assign a user-assigned managed identity to a service instance

  1. Create a user-assigned managed identity resource according to these instructions.
  2. In the navigation pane of your de-identification service, scroll to the Security group.
  3. Select Identity.
  4. Select the User assigned tab, and then choose Add.
  5. Search for the identity you created, select it, and then choose Add.

Supported scenarios using managed identities

Managed identities assigned to the de-identification service can be used to allow access to Azure Blob Storage for batch de-identification jobs. The service acquires a token as the managed identity to access Blob Storage, and de-identify blobs that match a specified pattern. For more information, including how to grant access to your managed identity, see Quickstart: Azure Health De-identification client library for .NET.

Clean-up steps

When you remove a system-assigned identity, you delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the de-identification service, described as follows.

  1. In the navigation pane of your de-identification service, scroll down to the Security group.
  2. Select Identity, then follow the steps based on the identity type:
    • System-assigned identity: Within the System assigned tab, switch Status to Off, and then choose Save.
    • User-assigned identity: Select the User assigned tab, select the checkbox for the identity, and select Remove. Select Yes to confirm.