You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Next, determine which roles your app needs and assign those roles to the managed identity. You can assign roles to a managed identity at the following scopes:
65
+
66
+
-**Resource**: The assigned roles only apply to that specific resource.
67
+
-**Resource group**: The assigned roles apply to all resources contained in the resource group.
68
+
-**Subscription**: The assigned roles apply to all resources contained in the subscription.
69
+
70
+
The following example shows how to assign roles at the resource group scope, since many apps manage all their related Azure resources using a single resource group.
71
+
72
+
### [Azure portal](#tab/azure-portal)
73
+
74
+
1. Navigate to the **Overview** page of the resource group that contains the app with the user-assigned managed identity.
75
+
1. Select **Access control (IAM)** on the left navigation.
76
+
1. On the **Access control (IAM)** page, select **+ Add** on the top menu and then choose **Add role assignment** to navigate to the **Add role assignment** page.
77
+
78
+
:::image type="content" source="../media/add-role-assignment.png" alt-text="A screenshot showing how to access the identity role assignment page.":::
79
+
80
+
1. The **Add role assignment** page presents a tabbed, multi-step workflow to assign roles to identities. On the initial **Role** tab, use the search box at the top to locate the role you want to assign to the identity.
81
+
1. Select the role from the results and then choose **Next** to move to the **Members** tab.
82
+
1. For the **Assign access to** option, select **Managed identity**.
83
+
1. For the **Members** option, choose **+ Select members** to open the **Select managed identities** panel.
84
+
1. On the **Select managed identities** panel, use the **Subscription** and **Managed identity** dropdowns to filter the search results for your identities. Use the **Select** search box to locate the user-assigned managed identity you enabled for the Azure resource hosting your app.
1. Select the identity and choose **Select** at the bottom of the panel to continue.
89
+
1. Select **Review + assign** at the bottom of the page.
90
+
1. On the final **Review + assign** tab, select **Review + assign** to complete the workflow.
91
+
92
+
### [Azure CLI](#tab/azure-cli)
93
+
94
+
A managed identity is assigned a role in Azure using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command:
95
+
96
+
```azurecli
97
+
az role assignment create \
98
+
--assignee "{principalId}" \
99
+
--role "{roleName}" \
100
+
--scope "{scope}"
101
+
```
102
+
103
+
To get the role names to which a service principal can be assigned, use the [az role definition list](/cli/azure/role/definition#az-role-definition-list) command:
For example, to allow the managed identity with the ID of `99999999-9999-9999-9999-999999999999` read, write, and delete access to Azure Storage blob containers and data to all storage accounts in the *msdocs-dotnet-sdk-auth-example* resource group, assign the application service principal to the *Storage Blob Data Contributor* role using the following command:
For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article [Assign Azure roles using the Azure CLI](/azure/role-based-access-control/role-assignments-cli).
121
+
122
+
---
63
123
64
124
## Implement DefaultAzureCredential in your application
0 commit comments