Merge pull request #301430 from msftadam/patch-81

denrea · web-flow · commit b3a8326083c5 · 2025-06-17T10:20:49.000-07:00
Update how-to-create-user-assigned-managed-identity.md
diff --git a/articles/operator-service-manager/how-to-create-user-assigned-managed-identity.md b/articles/operator-service-manager/how-to-create-user-assigned-managed-identity.md
@@ -1,18 +1,19 @@
 ---
-title: How to create and assign User Assigned Managed Identity in Azure Operator Service Manager
-description: Learn how to create and assign a User Assigned Managed Identity in Azure Operator Service Manager.
+title: How to create, assign, and use a User Assigned Managed Identity in Azure Operator Service Manager
+description: Learn how to create, assign, and use a User Assigned Managed Identity in Azure Operator Service Manager.
 author: msftadam
 ms.author: adamdor
 ms.date: 6/9/2025
 ms.topic: how-to
 ms.service: azure-operator-service-manager
 ---
 
-# Create and assign a User Assigned Managed Identity
+# Create, assign, and use a User Assigned Managed Identity
 
-In this how-to guide, you learn how to:
-- Create a User Assigned Managed Identity (UAMI) for your Site Network Service (SNS).
-- Assign that User Assigned Managed Identity permissions for use by Azure Operator Service Manager (AOSM)
+In this how-to guide, you learn to:
+- Create a User Assigned Managed Identity (UAMI) to use with Azure Operator Service Manager (AOSM)
+- Assign a UAMI permissions to access required resources.
+- Use a UAMI when executing network function (NF) or site network service (SNS) operations. 
 
 > [!WARNING]
 > UAMI is required where an expected SNS operation may run for four or more hours. If UAMI isn't used during long running SNS operations, the SNS may report a false failed status before component operations complete.
@@ -29,13 +30,13 @@ In this how-to guide, you learn how to:
 
 First, create a UAMI. Refer to [Create a User Assigned Managed Identity for your SNS](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) for details.
 
-## Assign custom role to UAMI
+## Create a custom role and assign to UAMI
 
-Next, assign a custom role to your new UAMI. Choose a scope-based approach and then allow the proper permission across that scope.
+Next, create a custom role. Start by considering the best scope-based approach, then create and assign the role to your new UAMI.
 
-### Choose scope for assigning custom role
+### Scope considerations for UAMI custom role
 
-Either assign the custom role individually to a child resource, like an NFDV, or to a parent resource, such as the publisher resource group or Network Function Definition Group (NFDG). Assigning the role to a parent resource grants equal access over all child resources. For proper SNS operations, either the parent resource must include all below resources, or the following resources must be assigned the custom role individually:
+The custom role must be assigned sufficient permissions to access user resources. The custom role can be scoped to individual child resources, like an NFDV, for the most granular control. Or, the custom role can be scope to a parent resource, such as the publisher resource group, which grants equal access over all child resources. For proper operations, either individually or via parent, all below resources must be assigned to the custom role:
 
 - All the Network Function Definition Groups (NFDG) and versions. 
 - All the Network Function Definition (NFD) and versions.
@@ -47,26 +48,26 @@ Either assign the custom role individually to a child resource, like an NFDV, or
 
 The UAMI needs the following individual permissions to execute required SNS operations:
 
-- On the NFDV
+- On the NFD;
   - Microsoft.HybridNetwork/publishers/networkFunctionDefinitionGroups/networkFunctionDefinitionVersions/use/**action**
   - Microsoft.HybridNetwork/Publishers/NetworkFunctionDefinitionGroups/NetworkFunctionDefinitionVersions/**read**
-- On the NSDV
+- On the NSD;
   - Microsoft.HybridNetwork/publishers/networkServiceDesignGroups/networkServiceDesignVersions/use/action
   - Microsoft.HybridNetwork/publishers/networkServiceDesignGroups/networkServiceDesignVersions/**read**
-- On the CGS
+- On the CGS;
   - Microsoft.HybridNetwork/Publishers/ConfigurationGroupSchemas/**read**
-- On the custom location
+- On the custom location;
   - Microsoft.ExtendedLocation/customLocations/deploy/**action**
   - Microsoft.ExtendedLocation/customLocations/**read** 
-- In addition, the UAMI need access on itself
+- In addition, the UAMI need access on itself;
   - Microsoft.ManagedIdentity/userAssignedIdentities/assign/**action**
 
 If using a parent resource scope approach, then the required permissions would be applied to the parent resource.  
 
 > [!NOTE]
 > Don't provide write or delete access to any of these publisher resources.
 
-### Assign custom role
+### Assign custom role via portal
 
 1. Access the Azure portal and open your chosen resource scope; for example, Publisher Resource Group or Network Function Definition Version.
 
@@ -86,11 +87,11 @@ If using a parent resource scope approach, then the required permissions would b
 
 6. Select **Review and assign**.
 
-### Repeat the role assignment
+#### Repeat the role assignment
 
 Repeat the role assignment process for any remaining resources given the chosen scope approach.
 
-## Assign Managed Identity Operator role to the Managed Identity itself
+### Assign managed identity operator role via portal
 
 1. Go to the Azure portal and search for **Managed Identities**.
 2. Select *your-identity* from the list of **Managed Identities**.
@@ -109,6 +110,155 @@ Repeat the role assignment process for any remaining resources given the chosen
 
 Completion of all the tasks outlined in this article ensures that the Site Network Service (SNS) has the necessary permissions to function effectively within the specified Azure environment.
 
-## Assign other required permissions to the Managed Identity
-
-Repeat this process to assign any other permissions to the Managed Identity that your Network Service Designer identified.
+## Create and assign permissions to a UAMI via bicep
+
+The required operations to create and assign permissions are also supported via bicep scripting. This approach may work better where automation of these operations within a workflow pipeline is necessary. The following example demonstrates the bicep operations required to establish the UAMI with minimum assigned roles. Expand role assignment, as necessary, based on scope approach.
+
+```bicep
+// ----------- MIO Role Definition -----------
+// This role is used to assign the Managed Identity Operator role to the User Assigned Managed Identity (UAMI).
+@description('This is the built-in MIO role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-identity-operator')
+resource MIORoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
+  scope: managedIdentity
+  name: 'f1a07417-d97a-45cb-824c-7a7467783830'
+}
+
+// This role is used to assign the Contributor role to the User Assigned Managed Identity (UAMI) at the resource group level.
+resource ContributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
+  scope: subscription()
+  name: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+}
+
+// Assign the Managed Identity Operator role to the User Assigned Managed Identity (UAMI) at the scope of the managed identity.
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+  name: guid(resourceGroup().id, principalId, MIORoleDefinition.id)
+  scope: managedIdentity
+  properties: {
+    roleDefinitionId: MIORoleDefinition.id
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+// Get reference to the target resource group
+resource targetRg 'Microsoft.Resources/resourceGroups@2022-09-01' existing = {
+  name: 'publisherResourceGroupName' // Replace with the actual resource group name
+  scope: subscription('subscriptionId')
+}
+
+// Assign the Contributor role to the User Assigned Managed Identity (UAMI) at the scope of the publisher resource group.
+resource roleAssignmentContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+  name: guid(resourceGroup().id, principalId, ContributorRoleDefinition.id)
+  scope: targetRg
+  properties: {
+    roleDefinitionId: ContributorRoleDefinition.id
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+```
+
+## Use a UAMI with NF and SNS operations
+
+### NF template considerations
+
+The NF template must be updated to include the identityObj parameter. The following JSON example demonstrates use of this parameter with a generic NF setup:
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "nameValue": {
+      "type": "string",
+      "defaultValue": "[concat('anf-', substring(uniqueString(deployment().name), 0, 6))]"
+    },
+    "locationValue": {
+      "type": "string",
+      "defaultValue": "eastus2euap"
+    },
+    "nfviTypeValue": {
+      "type": "string",
+      "defaultValue": "AzureArcKubernetes"
+    },
+    "nfviIdValue": {
+      "type": "string"
+    },
+    "config": {
+      "type": "object",
+      "defaultValue": {}
+    },
+    "nfdvId": {
+      "type": "string"
+    },
+    "identityObj": {
+      "type": "object",
+      "defaultValue": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+          "/subscriptions/<subscriptionId>/resourceGroups/<rgName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uaminame>": {}
+        }
+      }
+    }
+  },
+  "variables": {
+    "deploymentValuesValue": "[string(createObject('role1releasenamespace', parameters('config').role1releasenamespace, 'role1releasename',parameters('config').role1releasename, 'role2releasenamespace', parameters('config').role2releasenamespace, 'role2releasename',parameters('config').role2releasename,'role3releasenamespace', parameters('config').role3releasenamespace, 'role3releasename',parameters('config').role3releasename))]",
+    "nfName": "[concat(parameters('nameValue'), '-CNF')]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.HybridNetwork/networkFunctions",
+      "apiVersion": "2024-04-15",
+      "name": "[variables('nfName')]",
+      "location": "[parameters('locationValue')]",
+      "identity": "[parameters('identityObj')]",
+      "properties": {
+        "networkFunctionDefinitionVersionResourceReference": {
+          "id": "[parameters('nfdvId')]",
+          "idType": "Open"
+        },
+        "nfviType": "[parameters('nfviTypeValue')]",
+        "nfviId": "[parameters('nfviIdValue')]",
+        "allowSoftwareUpdate": true,
+        "configurationType": "Secret",
+        "secretDeploymentValues": "[string(variables('deploymentValuesValue'))]"
+      }
+    }
+  ]
+}
+```
+### SNS template considerations
+
+The SNS template must be updated to include the identity resource parameter. The following bicep example demonstrates use of this parameter with a generic SNS setup:
+
+```bicep
+resource azCoreSnsUAMI 'Microsoft.HybridNetwork/sitenetworkservices@2023-09-01' = {
+  name: snsNameUAMI
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  identity:  {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+     '${managedIdentity.id}': {} 
+    }
+  }
+  properties: {
+    siteReference: {
+      id: azCoreSite.id
+    }
+    networkServiceDesignVersionResourceReference: {
+        id: nsdv.id
+        idType: 'Open'
+    }
+    desiredStateConfigurationGroupValueReferences: {
+      Test_Configuration: {
+        id: azCoreCgv.id
+      }
+      Secret_Configuration:{
+        id:azCoreCgvSecret.id
+      }
+    }
+  }
+}
+```
