You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/frontdoor/origin-authentication-with-managed-identities.md
+13-9Lines changed: 13 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,18 +5,20 @@ description: This article shows you how to set up managed identities with Azure
5
5
author: halkazwini
6
6
ms.author: halkazwini
7
7
ms.service: azure-frontdoor
8
-
ms.topic: concept-article
8
+
ms.topic: how-to
9
9
ms.date: 05/12/2025
10
10
---
11
11
12
12
# Use managed identities to authenticate to origins (preview)
13
13
14
+
**Applies to:**:heavy_check_mark: Front Door Standard :heavy_check_mark: Front Door Premium
15
+
14
16
Managed identities provided by Microsoft Entra ID enables your Azure Front Door Standard/Premium instance to securely access other Microsoft Entra protected resources, such as Azure Blob Storage, without the need to manage credentials. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
15
17
16
18
After you enable managed identity for Azure Front Door and granting the managed identity necessary permissions to your origin, Front Door will use the managed identity to obtain an access token from Microsoft Entra ID for accessing the specified resource. After successfully obtaining the token, Front Door will set the value of the token in the Authorization header using the Bearer scheme and then forward the request to the origin. Front Door caches the token until it expires.
17
19
18
20
> [!Note]
19
-
> This feature is not currently supported for private link enabled origins within Front Door.
21
+
> This feature is currently not supported for origins with Private Link enabled in Front Door.
20
22
21
23
Azure Front Door supports two types of managed identities:
22
24
@@ -27,17 +29,19 @@ Managed identities are specific to the Microsoft Entra tenant where your Azure s
27
29
28
30
## Prerequisites
29
31
30
-
Before setting up managed identity for Azure Front Door, ensure you have an Azure Front Door Standard or Premium profile. To create a new profile, see [create an Azure Front Door](create-front-door-portal.md).
32
+
* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
33
+
34
+
* An Azure Front Door Standard or Premium profile. To create a new profile, see [create an Azure Front Door](create-front-door-portal.md).
31
35
32
36
## Enable managed identity
33
37
34
38
1. Navigate to your existing Azure Front Door profile. Select **Identity** under *Security* in the left menu.
35
39
36
40
1. Choose either a **System assigned** or **User assigned** managed identity.
37
41
38
-
***[System assigned](#system-assigned)** - A managed identity tied to the Azure Front Door profile lifecycle, used to access Azure Key Vault.
42
+
***[System assigned](#system-assigned)** - A managed identity tied to the Azure Front Door profile lifecycle.
39
43
40
-
***[User assigned](#user-assigned)** - A standalone managed identity resource with its own lifecycle, used to authenticate to Azure Key Vault.
44
+
***[User assigned](#user-assigned)** - A standalone managed identity resource with its own lifecycle.
41
45
42
46
### System assigned
43
47
@@ -47,7 +51,7 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
47
51
48
52
1. Confirm the creation of a system managed identity for your Front Door profile by selecting **Yes** when prompted.
49
53
50
-
1. Once created and registered with Microsoft Entra ID, use the **Object (principal) ID** to grant Azure Front Door access to your Azure Key Vault.
54
+
1. Once created and registered with Microsoft Entra ID, use the **Object (principal) ID** to grant Azure Front Door access to your origin.
51
55
52
56
:::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Microsoft Entra ID.":::
53
57
@@ -63,7 +67,7 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
63
67
64
68
:::image type="content" source="./media/managed-identity/user-assigned-configured.png" alt-text="Screenshot of the user-assigned managed identity added to the Front Door profile.":::
65
69
66
-
## Associating the identity to an Origin Group
70
+
## Associating the identity to an origin group
67
71
68
72
> [!Note]
69
73
> The association will only work if
@@ -86,7 +90,7 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
86
90
1. Navigate to the management page of your origin resource. For example, if the origin is an Azure Blob Storage, go to that Storage Account management page.
87
91
88
92
> [!Note]
89
-
> Below steps assume that your origin is an Azure Blob Storage. If you are using a different resource type as your origin, make sure that you choose an appropriate 'Job function role' during role assignment. Apart from that, the steps will remain same for all resource types.
93
+
> The next steps assume your origin is an Azure Blob Storage. If you're using a different resource type, make sure to select the appropriate **job function role** during role assignment. Otherwise, the steps remain the same for most resource types.
90
94
91
95
2. Go to the **Access Control (IAM)** section and click on **Add**. Choose **Add role assignment** from the dropdown menu.
92
96
:::image type="content" source="./media/managed-identity/add-role-assignment-menu.png" alt-text="Screenshot of access control settings.":::
@@ -104,4 +108,4 @@ Before setting up managed identity for Azure Front Door, ensure you have an Azur
104
108
* Ensure that there are no private link enabled origins within the origin group.
105
109
* If you see 'Access Denied; responses from origin, verify that the Managed Identity has the appropriate role assigned to access the origin resource.
106
110
* Transition from SAS Tokens for Storage: If transitioning from SAS tokens to Managed Identities, follow a step-wise approach to avoid downtime. Enable Managed Identity, associate it with the origin, and then stop using SAS tokens.
107
-
* After you enable origin authentication in origin group settings, you should not directly disable/delete the identities from the Identity settings under Front Door portal, nor directly delete the user-assigned managed identity under the Managed Identity portal. Doing so will cause origin authentication to fail immediately. Instead, if you want to stop using the origin authentication feature or want to delete/disable the identities, first disable the access restrictions under the Access Control (IAM) section of the origin resource so that the origin is accessible without the need of a managed identity or Entra ID token. Then disable origin authentication under Front Door origin group settings. Wait for some time for the configuration to be updated and then delete/disable the identity if required.
111
+
* After you enable origin authentication in origin group settings, you should not directly disable/delete the identities from the Identity settings under Front Door portal, nor directly delete the user-assigned managed identity under the Managed Identity portal. Doing so will cause origin authentication to fail immediately. Instead, if you want to stop using the origin authentication feature or want to delete/disable the identities, first disable the access restrictions under the Access Control (IAM) section of the origin resource so that the origin is accessible without the need of a managed identity or Entra ID token. Then disable origin authentication under Front Door origin group settings. Wait for some time for the configuration to be updated and then delete/disable the identity if required.
0 commit comments