Rediger

Del via


Add managed identities for Azure App Configuration

This article shows you how to create a managed identity for Azure App Configuration. A managed identity from Microsoft Entra ID allows Azure App Configuration to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform. It doesn't require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.

Your application can be granted two types of identities:

  • A system-assigned identity is tied to your configuration store. It's deleted if your configuration store is deleted. A configuration store can only have one system-assigned identity.
  • A user-assigned identity is a standalone Azure resource that can be assigned to your configuration store. A configuration store can have multiple user-assigned identities.

Adding a system-assigned identity

Creating an App Configuration store with a system-assigned identity requires an additional property to be set on the store.

Using the Azure CLI

To set up a managed identity using the Azure CLI, use the [az appconfig identity assign] command against an existing configuration store. You have three options for running the examples in this section:

The following steps walk you through creating an App Configuration store and assigning it an identity using the CLI:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login]. Use an account that is associated with your Azure subscription:

    az login
    
  2. Create an App Configuration store using the CLI. For more examples of how to use the CLI with Azure App Configuration, see App Configuration CLI samples:

    az group create --name myResourceGroup --location eastus
    az appconfig create --name myTestAppConfigStore --location eastus --resource-group myResourceGroup --sku Free
    
  3. Run the [az appconfig identity assign] command to create the system-assigned identity for this configuration store:

    az appconfig identity assign --name myTestAppConfigStore --resource-group myResourceGroup
    

Adding a user-assigned identity

Creating an App Configuration store with a user-assigned identity requires that you create the identity and then assign its resource identifier to your store.

Note

You can add up to 10 user-assigned managed identities to an App Configuration store.

Using the Azure CLI

To set up a managed identity using the Azure CLI, use the [az appconfig identity assign] command against an existing configuration store. You have three options for running the examples in this section:

The following steps walk you through creating a user-assigned identity and an App Configuration store, then assigning the identity to the store using the CLI:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login]. Use an account that is associated with your Azure subscription:

    az login
    
  2. Create an App Configuration store using the CLI. For more examples of how to use the CLI with Azure App Configuration, see App Configuration CLI samples:

    az group create --name myResourceGroup --location eastus
    az appconfig create --name myTestAppConfigStore --location eastus --resource-group myResourceGroup --sku Free
    
  3. Create a user-assigned identity called myUserAssignedIdentity using the CLI.

    az identity create --resource-group myResourceGroup --name myUserAssignedIdentity
    

    In the output of this command, note the value of the id property.

  4. Run the [az appconfig identity assign] command to assign the new user-assigned identity to this configuration store. Use the value of the id property that you noted in the previous step.

    az appconfig identity assign --name myTestAppConfigStore --resource-group myResourceGroup --identities /subscriptions/[subscription id]/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity
    

Removing an identity

A system-assigned identity can be removed by disabling the feature by using the az appconfig identity remove command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the app resource is deleted.

Next steps