You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/managed-identities-azure-resources/known-issues.md
+1-35Lines changed: 1 addition & 35 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,27 +46,7 @@ The security boundary of the identity is the resource to which it is attached to
46
46
- If system assigned managed identity is not enabled, and only one user assigned managed identity exists, IMDS will default to that single user assigned managed identity.
47
47
- If system assigned managed identity is not enabled, and multiple user assigned managed identities exist, then specifying a managed identity in the request is required.
48
48
49
-
### Should I use the managed identities for Azure resources IMDS endpoint or the VM extension endpoint?
50
49
51
-
When using managed identities for Azure resources with VMs, we recommend using the IMDS endpoint. The Azure Instance Metadata Service is a REST Endpoint accessible to all IaaS VMs created via the Azure Resource Manager.
52
-
53
-
Some of the benefits of using managed identities for Azure resources over IMDS are:
54
-
- All Azure IaaS supported operating systems can use managed identities for Azure resources over IMDS.
55
-
- No longer need to install an extension on your VM to enable managed identities for Azure resources.
56
-
- The certificates used by managed identities for Azure resources are no longer present in the VM.
57
-
- The IMDS endpoint is a well-known non-routable IP address, only available from within the VM.
58
-
- 1000 user-assigned managed identities can be assigned to a single VM.
59
-
60
-
The managed identities for Azure resources VM extension is still available; however, we are no longer developing new functionality on it. We recommend switching to use the IMDS endpoint.
61
-
62
-
Some of the limitations of using the VM extension endpoint are:
63
-
- Limited support for Linux distributions: CoreOS Stable, CentOS 7.1, Red Hat 7.2, Ubuntu 15.04, Ubuntu 16.04
64
-
- Only 32 user-assigned managed identities can be assigned to the VM.
65
-
66
-
67
-
Note: The managed identities for Azure resources VM extension will be out of support in January 2019.
68
-
69
-
For more information on Azure Instance Metadata Service, see [IMDS documentation](https://docs.microsoft.com/azure/virtual-machines/windows/instance-metadata-service)
70
50
71
51
### Will managed identities be recreated automatically if I move a subscription to another directory?
72
52
@@ -83,16 +63,7 @@ No. Managed identities do not currently support cross-directory scenarios.
83
63
- System-assigned managed identity: You need write permissions over the resource. For example, for virtual machines you need Microsoft.Compute/virtualMachines/write. This action is included in resource specific built-in roles like [Virtual Machine Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#virtual-machine-contributor).
84
64
- User-assigned managed identity: You need write permissions over the resource. For example, for virtual machines you need Microsoft.Compute/virtualMachines/write. In addition to [Managed Identity Operator](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignment over the managed identity.
85
65
86
-
### How do you restart the managed identities for Azure resources extension?
87
-
On Windows and certain versions of Linux, if the extension stops, the following cmdlet may be used to manually restart it:
88
-
89
-
```powershell
90
-
Set-AzVMExtension -Name <extension name> -Type <extension Type> -Location <location> -Publisher Microsoft.ManagedIdentity -VMName <vm name> -ResourceGroupName <resource group name> -ForceRerun <Any string different from any last value used>
91
-
```
92
66
93
-
Where:
94
-
- Extension name and type for Windows is: ManagedIdentityExtensionForWindows
95
-
- Extension name and type for Linux is: ManagedIdentityExtensionForLinux
96
67
97
68
## Known issues
98
69
@@ -128,12 +99,7 @@ Once the VM is started, the tag can be removed by using following command:
128
99
az vm update -n <VM Name> -g <Resource Group> --remove tags.fixVM
129
100
```
130
101
131
-
### VM extension provisioning fails
132
102
133
-
Provisioning of the VM extension might fail due to DNS lookup failures. Restart the VM, and try again.
134
-
135
-
> [!NOTE]
136
-
> The VM extension is planned for deprecation by January 2019. We recommend you move to using the IMDS endpoint.
137
103
138
104
### Transferring a subscription between Azure AD directories
139
105
@@ -146,4 +112,4 @@ Workaround for managed identities in a subscription that has been moved to anoth
146
112
147
113
### Moving a user-assigned managed identity to a different resource group/subscription
148
114
149
-
Moving a user-assigned managed identity to a different resource group will cause the identity to break. As a result, resources (e.g. VM) using that identity will not be able to request tokens for it.
115
+
Moving a user-assigned managed identity to a different resource group is not supported.
0 commit comments