Use managed identities for App Service and Azure Functions

Note

Starting June 1, 2024, newly created App Service apps can generate a unique default host name that uses the naming convention <app-name>-<random-hash>.<region>.azurewebsites.net. For example: myapp-ds27dh7271aah175.westus-01.azurewebsites.net. Existing app names remain unchanged.

For more information, see the blog post about creating a web app with a unique default host name.

This article shows you how to create a managed identity for Azure App Service and Azure Functions applications, and how to use it to access other resources.

A managed identity from Microsoft Entra ID allows your app to easily access other Microsoft Entra-protected resources, such as Azure Key Vault. The Azure platform manages the identity, so you don't need to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.

You can grant two types of identities to your application:

• A system-assigned identity is tied to the app and is deleted if the app is deleted. An app can have only one system-assigned identity.
• A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities. One user-assigned identity can be assigned to multiple Azure resources, such as two App Service apps.

The managed identity configuration is specific to the slot. To configure a managed identity for a deployment slot in the portal, go to the slot first. To find the managed identity for your web app or deployment slot in your Microsoft Entra tenant from the Azure portal, search for it directly from the Overview page of your tenant. Usually, the slot name is similar to <app-name>/slots/<slot-name>.

The following video complements the steps in this article by illustrating how to use managed identities for App Service.

Note

Managed identities are not available for apps deployed in Azure Arc.

Because managed identities don't support cross-directory scenarios, they won't behave as expected if your app is migrated across subscriptions or tenants. To re-create the managed identities after such a move, see Will managed identities be re-created automatically if I move a subscription to another directory?. Downstream resources also need to have access policies updated to use the new identity.

Prerequisites

To perform the steps in this article, you must have a minimum set of permissions over your Azure resources. The specific permissions that you need vary based on your scenario. The following table summarizes the most common scenarios:

Scenario	Required permission	Example built-in roles
Create a system-assigned identity	Microsoft.Web/sites/write over the app, or Microsoft.Web/sites/slots/write over the slot	Website Contributor
Create a user-assigned identity	Microsoft.ManagedIdentity/userAssignedIdentities/write over the resource group in which the identity will be created	Managed Identity Contributor
Assign a user-assigned identity to your app	Microsoft.Web/sites/write over the app, Microsoft.Web/sites/slots/write over the slot, or Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action over the identity	Website Contributor and Managed Identity Operator
Create Azure role assignments	Microsoft.Authorization/roleAssignments/write over the target resource scope	Role Based Access Control Administrator or User Access Administrator

Add a system-assigned identity

To enable a system-assigned managed identity, use the following instructions.

Azure portal

1. In the Azure portal, go to your app's page.

2. On the left menu, under Settings, select Identity.

3. On the System assigned tab, switch Status to On. Then select Save.

Azure CLI

Run the az webapp identity assign command:

az webapp identity assign --name myApp --resource-group myResourceGroup

Azure PowerShell

For App Service

Run the Set-AzWebApp -AssignIdentity command:

Set-AzWebApp -AssignIdentity $true -Name <app-name> -ResourceGroupName <group-name> 

For Functions

Run the Update-AzFunctionApp -IdentityType command:

Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType SystemAssigned

ARM template

You can use an Azure Resource Manager template to automate deployment of your Azure resources. To learn more, see Automate resource deployment in App Service and Automate resource deployment in Azure Functions.

You can create any resource of type Microsoft.Web/sites with an identity by including the following property in the resource definition:

"identity": {
    "type": "SystemAssigned"
}

Adding the system-assigned type tells Azure to create and manage the identity for your application.

For example, a web app's template might look like the following JSON:

{
    "apiVersion": "2022-03-01",
    "type": "Microsoft.Web/sites",
    "name": "[variables('appName')]",
    "location": "[resourceGroup().location]",
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "name": "[variables('appName')]",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
        "hostingEnvironment": "",
        "clientAffinityEnabled": false,
        "alwaysOn": true
    },
    "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
    ]
}

When the site is created, it has the following additional properties:

"identity": {
    "type": "SystemAssigned",
    "tenantId": "<tenant-id>",
    "principalId": "<principal-id>"
}

The tenantId property identifies what Microsoft Entra tenant the identity belongs to. The principalId property is a unique identifier for the application's new identity. Within Microsoft Entra ID, the service principal has the same name that you gave to your App Service or Azure Functions instance.

If you need to reference these properties in a later stage in the template, use the reference() template function with the 'Full' flag, as in this example:

{
    "tenantId": "[reference(resourceId('Microsoft.Web/sites', variables('appName')), '2018-02-01', 'Full').identity.tenantId]",
    "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('appName')), '2018-02-01', 'Full').identity.principalId]",
}

Add a user-assigned identity

Creating an app with a user-assigned identity requires that you create the identity and then add its resource identifier to your app configuration.

Azure portal

1. Create a user-assigned managed identity resource according to these instructions.

2. On the left menu for your app's page, under Settings, select Identity.

3. Select User assigned > Add.

4. Search for the identity that you created earlier, select it, and then select Add.

After you finish these steps, the app restarts.

Azure CLI

1. Create a user-assigned identity:

   az identity create --resource-group <group-name> --name <identity-name>
   

2. Run the az webapp identity assign command to assign the identity to the app:

   az webapp identity assign --resource-group <group-name> --name <app-name> --identities <identity-id>
   

Azure PowerShell

For App Service

Adding a user-assigned identity in App Service by using Azure PowerShell is currently not supported.

For Functions

1. Create a user-assigned identity:

   Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease
   $userAssignedIdentity = New-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName <group-name>
   

2. Run the Update-AzFunctionApp -IdentityType UserAssigned -IdentityId command to assign the identity in Functions:

   Update-AzFunctionApp -Name <app-name> -ResourceGroupName <group-name> -IdentityType UserAssigned -IdentityId $userAssignedIdentity.Id
   

ARM template

You can use an Azure Resource Manager template to automate deployment of your Azure resources. To learn more, see Automate resource deployment in App Service and Automate resource deployment in Azure Functions.

You can create any resource of type Microsoft.Web/sites with an identity by including the following block in the resource definition. Replace <resource-id> with the resource ID of the desired identity.

"identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
        "<resource-id>": {}
    }
}

Note

An application can have both system-assigned and user-assigned identities at the same time. In that case, the type property is SystemAssigned,UserAssigned.

Adding the user-assigned type tells Azure to use the user-assigned identity that you specified for your application.

For example, a web app's template might look like the following JSON:

{
    "apiVersion": "2022-03-01",
    "type": "Microsoft.Web/sites",
    "name": "[variables('appName')]",
    "location": "[resourceGroup().location]",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
        }
    },
    "properties": {
        "name": "[variables('appName')]",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
        "hostingEnvironment": "",
        "clientAffinityEnabled": false,
        "alwaysOn": true
    },
    "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
    ]
}

When the site is created, it has the following additional properties:

"identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
        "<resource-id>": {
            "principalId": "<principal-id>",
            "clientId": "<client-id>"
        }
    }
}

The principalId property is a unique identifier for the identity that's used for Microsoft Entra administration. The clientId property is a unique identifier for the application's new identity. You use it to specify which identity to use during runtime calls.

Configure the target resource

You need to configure the target resource to allow access from your app. For most Azure services, you configure the target resource by creating a role assignment.

Some services use mechanisms other than Azure role-based access control (RBAC). To understand how to configure access by using an identity, refer to the documentation for each target resource. To learn more about which resources support Microsoft Entra tokens, see Azure services that support Microsoft Entra authentication.

For example, if you request a token to access a secret in Azure Key Vault, you must also create a role assignment that allows the managed identity to work with secrets in the target vault. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database and other services.

Important

The back-end services for managed identities maintain a cache per resource URI for around 24 hours. It can take several hours for changes to a managed identity's group or role membership to take effect. It's currently not possible to force a managed identity's token to be refreshed before its expiration. If you change a managed identity's group or role membership to add or remove permissions, you might need to wait several hours for the Azure resource that's using the identity to have the correct access.

For alternatives to groups or role memberships, see Limitation of using managed identities for authorization.

Connect to Azure services in app code

With its managed identity, an app can obtain tokens for Azure resources that Microsoft Entra ID helps protect, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application that accesses the resource, and not any specific user of the application.

App Service and Azure Functions provide an internally accessible REST endpoint for token retrieval. You can access the REST endpoint from within the app by using a standard HTTP GET request. You can implement the request with a generic HTTP client in every language.

For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint and simplifies the development experience. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.

HTTP GET

A raw HTTP GET request uses the two supplied environment variables and looks like the following example:

GET /MSI/token?resource=https://vault.azure.net&api-version=2019-08-01 HTTP/1.1
Host: <ip-address-:-port-in-IDENTITY_ENDPOINT>
X-IDENTITY-HEADER: <value-of-IDENTITY_HEADER>

A sample response might look like the following example:

HTTP/1.1 200 OK
Content-Type: application/json

{
    "access_token": "eyJ0eXAi…",
    "expires_on": "1586984735",
    "resource": "https://vault.azure.net",
    "token_type": "Bearer",
    "client_id": "00001111-aaaa-2222-bbbb-3333cccc4444"
}

This response is the same as the response for the Microsoft Entra service-to-service access token request. To access Key Vault, you add the value of access_token to a client connection with the vault.

.NET

Note

When you're connecting to Azure SQL data sources by using Entity Framework Core, consider using Microsoft.Data.SqlClient. That namespace provides special connection strings for managed identity connectivity. For an example, see Tutorial: Secure an Azure SQL Database connection from App Service by using a managed identity.

For .NET apps and functions, the simplest way to work with a managed identity is through the Azure Identity client library for .NET. For detailed guidance, see Tutorial: Connect to Azure databases from App Service without secrets by using a managed identity.

For more information, see the respective documentation headings of the client library:

• Add the Azure Identity client library to your project
• Access an Azure service by using a system-assigned identity
• Access an Azure service by using a user-assigned identity

The linked examples use DefaultAzureCredential. It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

JavaScript

For Node.js apps and JavaScript functions, the simplest way to work with a managed identity is through the Azure Identity client library for JavaScript. For detailed guidance, see Tutorial: Connect to Azure databases from App Service without secrets by using a managed identity.

For more information, see the respective documentation headings of the client library:

• Add an Azure Identity client library to your project
• Access an Azure service by using a system-assigned identity
• Access an Azure service by using a user-assigned identity

The linked examples use DefaultAzureCredential. It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

For more code examples of the Azure Identity client library for JavaScript, see Azure Identity examples.

Python

For Python apps and functions, the simplest way to work with a managed identity is through the Azure Identity client library for Python. For detailed guidance, see Tutorial: Connect to Azure databases from App Service without secrets by using a managed identity.

For more information, see the respective documentation headings of the client library:

• Add an Azure Identity client library to your project
• Access an Azure service by using a system-assigned identity
• Access an Azure service by using a user-assigned identity

The linked examples use DefaultAzureCredential. It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

Java

For Java apps and functions, the simplest way to work with a managed identity is through the Azure Identity client library for Java. For detailed guidance, see Tutorial: Connect to Azure databases from App Service without secrets by using a managed identity.

For more information, see the respective documentation headings of the client library:

• Add an Azure Identity client library to your project
• Access an Azure service by using a system-assigned identity
• Access an Azure service by using a user-assigned identity

The linked examples use DefaultAzureCredential. It's useful for the majority of the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

For more code examples of the Azure Identity client library for Java, see Azure Identity examples.

PowerShell

Use the following script to retrieve a token from the local endpoint by specifying a resource URI of an Azure service:

$resourceURI = "https://<AAD-resource-URI-for-resource-to-obtain-token>"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token

For more information on the REST endpoint, see REST endpoint reference later in this article.

Remove an identity

When you remove a system-assigned identity, it's deleted from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the app resource itself.

Azure portal

1. On the left menu for your app's page, under Settings, select Identity.

2. Follow the steps based on the identity type:

   • For a system-assigned identity: On the System assigned tab, switch Status to Off. Then select Save.
   • For a user-assigned identity: Select the User assigned tab, select the checkbox for the identity, and then select Remove. Select Yes to confirm.

Azure CLI

To remove the system-assigned identity, use this command:

az webapp identity remove --name <app-name> --resource-group <group-name>

To remove one or more user-assigned identities, use this command:

az webapp identity remove --name <app-name> --resource-group <group-name> --identities <identity-id1> <identity-id2> ...

You can also remove the system-assigned identity by specifying [system] in --identities.

Azure PowerShell

For App Service

To remove a system-assigned identity for App Service, run the Set-AzWebApp -AssignIdentity command:

Set-AzWebApp -AssignIdentity $false -Name <app-name> -ResourceGroupName <group-name> 

For Functions

To remove all identities in Azure PowerShell (Azure Functions only), run this command:

# Update an existing function app to have IdentityType "None".
Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupName -IdentityType None

ARM template

To remove all identities in an ARM template, use this code:

"identity": {
    "type": "None"
}

Note

You can also set an application setting that disables only the local token service: WEBSITE_DISABLE_MSI. However, it leaves the identity in place. Tooling still shows the managed identity as on or enabled. As a result, we don't recommend that you use this setting.

REST endpoint reference

An app with a managed identity makes this endpoint available by defining two environment variables:

• IDENTITY_ENDPOINT: The URL to the local token service.
• IDENTITY_HEADER: A header that can help mitigate server-side request forgery (SSRF) attacks. The platform rotates the value.

The IDENTITY_ENDPOINT variable is a local URL from which your app can request tokens. To get a token for a resource, make an HTTP GET request to this endpoint. Include the following parameters:

Parameter name	In	Description
resource	Query	The Microsoft Entra resource URI of the resource for which a token should be obtained. This resource could be one of the Azure services that support Microsoft Entra authentication or any other resource URI.
api-version	Query	The version of the token API to be used. Use 2019-08-01.
X-IDENTITY-HEADER	Header	The value of the IDENTITY_HEADER environment variable. This header is used to help mitigate SSRF attacks.
client_id	Query	(Optional) The client ID of the user-assigned identity to be used. It can't be used on a request that includes principal_id, mi_res_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.
principal_id	Query	(Optional) The principal ID of the user-assigned identity to be used. The object_id parameter is an alias that can be used instead. It can't be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.
mi_res_id	Query	(Optional) The Azure resource ID of the user-assigned identity to be used. It can't be used on a request that includes principal_id, client_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.

Important

If you're trying to obtain tokens for user-assigned identities, you must include one of the optional properties. Otherwise, the token service will try to obtain a token for a system-assigned identity, which might or might not exist.

Related content

• Connect to SQL Database from App Service without secrets by using a managed identity
• Access Azure Storage by using a managed identity
• Call Microsoft Graph by using a managed identity
• Connect to services by using Key Vault secrets