Authenticate Azure-hosted apps to Azure resources with the Azure SDK for .NET

The recommended approach to authenticate an Azure-hosted app to other Azure resources is to use a managed identity. This approach is supported for most Azure services, including apps hosted on Azure App Service, Azure Container Apps, and Azure Virtual Machines. Discover more about different authentication techniques and approaches on the authentication overview page. In the sections ahead, you'll learn:

• Essential managed identity concepts
• How to create a managed identity for your app
• How to assign roles to the managed identity
• How to authenticate using the managed identity from your app code

Essential managed identity concepts

A managed identity enables your app to securely connect to other Azure resources without the use of secret keys or other application secrets. Internally, Azure tracks the identity and which resources it's allowed to connect to. Azure uses this information to automatically obtain Microsoft Entra tokens for the app to allow it to connect to other Azure resources.

There are two types of managed identities to consider when configuring your hosted app:

• System-assigned identities are enabled directly on an Azure resource and are tied to its life cycle. When the resource is deleted, Azure automatically deletes the identity for you. System-assigned identities provide a minimalistic approach to using managed identities.
• User-assigned identities are created as standalone Azure resources and offer greater flexibility and capabilities. They are ideal for solutions involving multiple Azure resources that need to share the same identity and permissions. For example, if multiple virtual machines need to access the same set of Azure resources, a user-assigned managed identity provides reusability and optimized management.

The sections ahead describe the steps to enable and use a system-assigned managed identity for an Azure-hosted app. If you need to use a user-assigned managed identity, visit the Manage user-assigned managed identities article for more information.

Enable a system-assigned managed identity on the Azure hosting resource

To get started using a system-assigned managed identity with your app, enable the identity on the Azure resource hosting your app, such as an Azure App Service, Azure Container App, or Azure Virtual Machine.

You can enable a system-assigned managed identity for an Azure resource using either the Azure portal or the Azure CLI.

Azure portal

1. In the Azure portal, navigate to the resource that hosts your application code, such as an Azure App Service or Azure Container App instance.

2. From the resource's Overview page, expand Settings and select Identity from the navigation.

3. On the Identity page, toggle the Status slider to On.

4. Select Save to apply your changes.

   

Azure CLI

Azure CLI commands can be run in the Azure Cloud Shell or on a workstation with the Azure CLI installed.

The Azure CLI commands used to enable managed identity for an Azure resource are of the form az <command-group> identity --resource-group <resource-group-name> --name <resource-name>. Specific commands for popular Azure services are shown below.

Azure App Service:

az webapp identity assign \
    --resource-group <resource-group-name> \
    --name <web-app-name>

Azure Virtual Machine:

az vm identity assign \
    --resource-group <resource-group-name> \
    --name <virtual-machine-name>

The output resembles the following:

{
  "principalId": "99999999-9999-9999-9999-999999999999",
  "tenantId": "33333333-3333-3333-3333-333333333333",
  "type": "SystemAssigned",
  "userAssignedIdentities": null
}

The principalId value is the unique ID of the managed identity. Keep a copy of this output, as you'll need these values in the next step.

Assign roles to the managed identity

Next, determine which roles your app needs and assign those roles to the managed identity. You can assign roles to a managed identity at the following scopes:

• Resource: The assigned roles only apply to that specific resource.
• Resource group: The assigned roles apply to all resources contained in the resource group.
• Subscription: The assigned roles apply to all resources contained in the subscription.

The following example shows how to assign roles at the resource group scope, since many apps manage all their related Azure resources using a single resource group.

Azure portal

1. Navigate to the Overview page of the resource group that contains the app with the system-assigned managed identity.

2. Select Access control (IAM) on the left navigation.

3. On the Access control (IAM) page, select + Add on the top menu and then choose Add role assignment to navigate to the Add role assignment page.

   

4. The Add role assignment page presents a tabbed, multi-step workflow to assign roles to identities. On the initial Role tab, use the search box at the top to locate the role you want to assign to the identity.

5. Select the role from the results and then choose Next to move to the Members tab.

6. For the Assign access to option, select Managed identity.

7. For the Members option, choose + Select members to open the Select managed identities panel.

8. On the Select managed identities panel, use the Subscription and Managed identity dropdowns to filter the search results for your identities. Use the Select search box to locate the system-identity you enabled for the Azure resource hosting your app.

   

9. Select the identity and choose Select at the bottom of the panel to continue.

10. Select Review + assign at the bottom of the page.

11. On the final Review + assign tab, select Review + assign to complete the workflow.

Azure CLI

A managed identity is assigned a role in Azure using the az role assignment create command:

az role assignment create \
    --assignee "{managedIdentityId}" \
    --role "{roleName}" \
    --scope "{scope}"

To get the role names to which a service principal can be assigned, use the az role definition list command:

az role definition list \
    --query "sort_by([].{roleName:roleName, description:description}, &roleName)" \
    --output table

For example, to allow the managed identity with the ID of 99999999-9999-9999-9999-999999999999 read, write, and delete access to Azure Storage blob containers and data to all storage accounts in the msdocs-dotnet-sdk-auth-example resource group, assign the application service principal to the Storage Blob Data Contributor role using the following command:

az role assignment create \
    --assignee 99999999-9999-9999-9999-999999999999 \
    --role "Storage Blob Data Contributor" \
    --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/msdocs-dotnet-sdk-auth-example"

For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article Assign Azure roles using the Azure CLI.

Implement DefaultAzureCredential in your application

DefaultAzureCredential is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the TokenCredential class and is known as a credential. At runtime, DefaultAzureCredential attempts to authenticate using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code.

To use DefaultAzureCredential, add the Azure.Identity and optionally the Microsoft.Extensions.Azure packages to your application:

Command Line

In a terminal of your choice, navigate to the application project directory and run the following commands:

dotnet add package Azure.Identity
dotnet add package Microsoft.Extensions.Azure

NuGet Package Manager

Right-click your project in Visual Studio's Solution Explorer window and select Manage NuGet Packages. Search for Azure.Identity, and install the matching package. Repeat this process for the Microsoft.Extensions.Azure package.

Azure services are accessed using specialized client classes from the various Azure SDK client libraries. These classes and your own custom services should be registered so they can be accessed via dependency injection throughout your app. In Program.cs, complete the following steps to register a client class and DefaultAzureCredential:

1. Include the Azure.Identity and Microsoft.Extensions.Azure namespaces via using directives.
2. Register the Azure service client using the corresponding Add-prefixed extension method.
3. Pass an instance of DefaultAzureCredential to the UseCredential method.

For example:

using Microsoft.Extensions.Azure;
using Azure.Identity;

builder.Services.AddAzureClients(clientBuilder =>
{
    clientBuilder.AddBlobServiceClient(
        new Uri("https://<account-name>.blob.core.windows.net"));
    clientBuilder.UseCredential(new DefaultAzureCredential());
});

An alternative to UseCredential is to instantiate DefaultAzureCredential directly:

using Azure.Identity;

builder.Services.AddSingleton<BlobServiceClient>(_ =>
    new BlobServiceClient(
        new Uri("https://<account-name>.blob.core.windows.net"),
        new DefaultAzureCredential()));

When the preceding code runs on your local development workstation, it looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. Either approach can be used to authenticate the app to Azure resources during local development.

When deployed to Azure, this same code can also authenticate your app to other Azure resources. DefaultAzureCredential can retrieve environment settings and managed identity configurations to authenticate to other services automatically.