Merge pull request #216685 from duongau/managedidentity

Azure Front Door - Set up managed identity with Front Door

Author: LJSpiller

articles/frontdoor/TOC.yml

@@ -249,6 +249,8 @@
           href: how-to-configure-endpoints.md
         - name: Origins in origin group
           href: how-to-configure-origin.md
+        - name: Set up managed identity
+          href: managed-identity.md
         - name: Add a custom domain
           href: standard-premium/how-to-add-custom-domain.md
         - name: Add a root or apex domain

articles/frontdoor/managed-identity.md

@@ -0,0 +1,110 @@
+---
+title: Use managed identities with Azure Front Door Standard/Premium (Preview)
+description: This article will show you how to set up managed identities to use with your Azure Front Door Standard or Premium profile.
+services: frontdoor
+author: duongau
+ms.service: frontdoor
+ms.topic: conceptual
+ms.date: 11/02/2022
+ms.author: duau
+---
+
+# Use managed identities with Azure Front Door Standard/Premium (Preview)
+
+Azure Front Door also supports using managed identities to access Key Vault certificate. A managed identity generated by Azure Active Directory (Azure AD) allows your Azure Front Door instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to create or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
+
+> [!NOTE]
+> Once you enable managed identities in Azure Front Door and grant proper permissions to access Key Vault, Azure Front Door will always use managed identities to access Key Vault for customer certificate. 
+> 
+> You can grant two types of identities to an Azure Front Door profile:
+> * A **system-assigned** identity is tied to your service and is deleted if your service is deleted. The service can have only **one** system-assigned identity.
+> * A **user-assigned** identity is a standalone Azure resource that can be assigned to your service. The service can have **multiple** user-assigned identities.
+> 
+> Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you'll need to recreate and configure the identities.
+
+## Prerequisites
+
+Before you can set up managed identities for Front Door, you must have a Front Door Standard or Premium profile. To create an Azure Front Door profile, see [create an Azure Front Door](create-front-door-portal.md). 
+
+## Enable managed identity
+
+1. Go to an existing Azure Front Door Standard or Premium profile. Select **Identity (preview)** under *Settings*.
+
+    :::image type="content" source="./media/managed-identity/overview.png" alt-text="Screenshot of the identity button under settings for a Front Door profile.":::
+
+1. Select either **System assigned** or **User assigned**.
+
+    * **System assigned** - a managed identity is created for the Azure Front Door profile lifecycle and is used to access a Key Vault.
+    
+    * **User assigned** - a standalone managed identity resource used to authenticate to a Key Vault and has its own lifecycle.
+
+### System assigned
+
+1. Toggle the *Status* to **On** and then select **Save**.
+
+    :::image type="content" source="./media/managed-identity/system-assigned.png" alt-text="Screenshot of the system assigned managed identity configuration page.":::
+
+1. You'll be prompted with a message to confirm you would like to create a system managed identity for the Front Door profile. Select **Yes** to confirm.
+
+    :::image type="content" source="./media/managed-identity/system-assigned-confirm.png" alt-text="Screenshot of the system assigned managed identity confirmation message.":::
+
+1. Once the system assigned managed identity has been created and registered with Azure AD, you can use the **Object (principal) ID** to allow Azure Front Door access to your Key Vault.
+
+    :::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Azure Active Directory.":::
+
+### User assigned
+
+1. You must have a user managed identity already created. For more information, see [create a user assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
+
+1. Select the **User assigned** tab and then select **+ Add**.
+
+    :::image type="content" source="./media/managed-identity/user-assigned.png" alt-text="Screenshot of the user assigned managed identity configuration page.":::
+
+1. Search and select the user assigned manage identity. Then select **Add** to add the user managed identity to the Azure Front Door profile.
+
+    :::image type="content" source="./media/managed-identity/add-user-managed-identity.png" alt-text="Screenshot of the add user assigned managed identity page.":::
+
+1. You'll now see the name of the user assigned managed identity you've selected show in the Azure Front Door profile.
+
+    :::image type="content" source="./media/managed-identity/user-assigned-configured.png" alt-text="Screenshot of the add user assigned managed identity added to Front Door profile.":::
+
+## Configure Key Vault access policy
+
+1. Navigate to your Azure Key Vault.
+
+    :::image type="content" source="./media/managed-identity/key-vault-list.png" alt-text="Screenshot of the Key Vault resource list.":::
+
+1. Select **Access policies** from under *Settings* and then select **+ Create**.
+
+    :::image type="content" source="./media/managed-identity/access-policies.png" alt-text="Screenshot of the access policies page for a Key Vault.":::
+
+1. On the **Permissions** tab of the *Create an access policy* page, select **List** and **Get** under *Secret permissions*. Then select **Next** to configure the next tab.
+
+    :::image type="content" source="./media/managed-identity/permissions.png" alt-text="Screenshot of the permissions tab for the Key Vault access policy.":::
+
+1. On the *Principal* tab, paste the **object (principal) ID** if you're using a system managed identity or enter a **name** if you're using a user assigned manged identity. Then select **Next** to configure the next tab.
+
+    :::image type="content" source="./media/managed-identity/system-principal.png" alt-text="Screenshot of the principal tab for the Key Vault access policy.":::
+
+1. On the *Application* tab, the application has already been selected for you. Select **Next** to go to the *Review + create* tab.
+
+    :::image type="content" source="./media/managed-identity/application.png" alt-text="Screenshot of the application tab for the Key Vault access policy.":::
+
+1. Review the access policy settings and then select **Create** to set up the access policy.
+
+    :::image type="content" source="./media/managed-identity/create.png" alt-text="Screenshot of the review and create tab for the Key Vault access policy.":::
+
+## Verify access
+
+1. Go to the Azure Front Door profile you enabled managed identity and select **Secret** from under *Settings*.
+
+    :::image type="content" source="./media/managed-identity/secrets.png" alt-text="Screenshot of accessing secrets from under settings of a Front Door profile.":::
+
+1. Confirm **Managed identity** appears under the *Access role* column for the certificate used in Front Door.
+
+    :::image type="content" source="./media/managed-identity/confirm-set-up.png" alt-text="Screenshot of Azure Front Door using managed identity to access certificate in Key Vault.":::
+
+## Next steps
+
+* Learn how to [configure HTTPS on an Azure Front Door custom domain](standard-premium/how-to-configure-https-custom-domain.md).
+* Learn more about [End-to-end TLS encryption](end-to-end-tls.md).