User-assigned identity flow

Author: alexwolfmsft

.openpublishing.redirection.azure.json

@@ -127,6 +127,10 @@
         {
             "source_path_from_root": "/docs/azure/sdk/authentication/authentication-best-practices.md",
             "redirect_url": "/dotnet/azure/sdk/authentication/best-practices"
+        },
+        {
+            "source_path_from_root": "/dotnet/azure/sdk/authentication/azure-hosted-apps.md",
+            "redirect_url": "/dotnet/azure/sdk/authentication/system-assigned-managed-identity"
         }
     ]
 }

docs/azure/TOC.yml

@@ -66,7 +66,11 @@
         - name: Auth using developer accounts
           href: ./sdk/authentication/local-development-dev-accounts.md
       - name: Auth from Azure-hosted apps
-        href: ./sdk/authentication/azure-hosted-apps.md
+        items:
+        - name: Use a system-assigned managed identity
+          href: ./sdk/authentication/system-assigned-managed-identity.md
+        - name: Use a user-assigned managed identity
+          href: ./sdk/authentication/user-assigned-managed-identity.md
       - name: Auth from on-premises apps
         href: ./sdk/authentication/on-premises-apps.md
       - name: Auth via configuration files

…/sdk/authentication/azure-hosted-apps.md …tion/system-assigned-managed-identity.mddocs/azure/sdk/authentication/azure-hosted-apps.md renamed to docs/azure/sdk/authentication/system-assigned-managed-identity.md docs/azure/sdk/authentication/azure-hosted-apps.md renamed to docs/azure/sdk/authentication/system-assigned-managed-identity.md

@@ -1,19 +1,19 @@
 ---
-title: Authenticate Azure-hosted .NET apps to Azure resources
-description: Learn how to authenticate apps to Azure services when hosted in an Azure compute service like Azure App Service, Azure Functions, or Azure Virtual Machines.
+title: Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity
+description: Learn how to authenticate Azure-hosted .NET apps to other Azure services using a system-assigned identity
 ms.topic: how-to
 ms.custom: devx-track-dotnet, engagement-fy23, devx-track-azurecli
 ms.date: 02/06/2025
 ---
 
-# Authenticate Azure-hosted apps to Azure resources with the Azure SDK for .NET
+# Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity
 
 The recommended approach to authenticate an Azure-hosted app to other Azure resources is to use a [managed identity](/entra/identity/managed-identities-azure-resources/overview). This approach is [supported for most Azure services](/entra/identity/managed-identities-azure-resources/managed-identities-status), including apps hosted on Azure App Service, Azure Container Apps, and Azure Virtual Machines. Discover more about different authentication techniques and approaches on the [authentication overview](/dotnet/azure/sdk/authentication) page. In the sections ahead, you'll learn:
 
 - Essential managed identity concepts
-- How to create a managed identity for your app
-- How to assign roles to the managed identity
-- How to authenticate using the managed identity from your app code
+- How to create a system-assigned managed identity for your app
+- How to assign roles to the system-assigned managed identity
+- How to authenticate using the system-assigned managed identity from your app code
 
 ## Essential managed identity concepts
 

docs/azure/sdk/authentication/user-assigned-managed-identity.md

@@ -0,0 +1,62 @@
+---
+title: Authenticate Azure-hosted .NET apps to Azure resources using a user-assigned managed identity
+description: Learn how to authenticate Azure-hosted .NET apps to other Azure services using a user-assigned identity
+ms.topic: how-to
+ms.custom: devx-track-dotnet, engagement-fy23, devx-track-azurecli
+ms.date: 02/06/2025
+---
+
+# Authenticate Azure-hosted .NET apps to Azure resources using a user-assigned managed identity
+
+The recommended approach to authenticate an Azure-hosted app to other Azure resources is to use a [managed identity](/entra/identity/managed-identities-azure-resources/overview). This approach is [supported for most Azure services](/entra/identity/managed-identities-azure-resources/managed-identities-status), including apps hosted on Azure App Service, Azure Container Apps, and Azure Virtual Machines. Discover more about different authentication techniques and approaches on the [authentication overview](/dotnet/azure/sdk/authentication) page. In the sections ahead, you'll learn:
+
+- Essential managed identity concepts
+- How to create a user-assigned managed identity for your app
+- How to assign roles to the user-assigned managed identity
+- How to authenticate using the user-assigned managed identity from your app code
+
+[!INCLUDE [managed-identity-concepts](../includes/managed-identity-concepts.md)]
+
+## Create a user-assigned managed identity
+
+User-assigned identities are created as standalone resources in your Azure subscription. You can create them using the Azure portal or the Azure CLI.
+
+### [Azure portal](#tab/azure-portal)
+
+1. In the Azure portal, enter *Managed identities* in the main search bar and select the matching result under the **Services** section.
+1. On the **Managed Identities** page, select **+ Create**.
+
+    :::image type="content" source="../media/user-assigned-identity-create.png" alt-text="A screenshot showing the page to manage user-assigned identities.":::
+
+1. On the **Create User Assigned Managed Identity** page, select a subscription, resource group, and region for the user-assigned identity. Enter a logical name for the identity.
+1. Select **Review + create** to review and validate your inputs.
+
+    :::image type="content" source="../media/user-assigned-identity-form.png" alt-text="A screenshot showing the form to create a user-assigned identity.":::
+
+1. Select **Create** to create the user-assigned identity.
+
+### [Azure CLI](#tab/azure-cli)
+
+Azure CLI commands can be run in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli).
+
+The Azure CLI commands used to enable managed identity for an Azure resource are of the form `az <command-group> identity --resource-group <resource-group-name> --name <resource-name>`. Specific commands for popular Azure services are shown below.
+
+```azurecli
+az identity create --resource-group <resource-group-name> --name <identity-name>
+```
+
+The command output should display the following values:
+    - **ClientID**: Used to configure application code that uses the identity.
+    - **Location**: The Azure region that contains the identity.
+    - **Name**: The name of the identity.
+    - **PrincipalId**: Used for access control and role assignments in Azure.
+    - **ResourceGroup**: The resource group that contains the identity.
+    - **TenantId**: The Microsoft Entra tenant that contains the identity. in.
+
+For the steps ahead, you'll use the `principalId` to assign roles to the managed identity.
+
+[!INCLUDE [assign-roles-identity](../includes/assign-roles-identity.md)]
+
+## Implement DefaultAzureCredential in your application
+
+[!INCLUDE [Implement DefaultAzureCredential](<../includes/implement-defaultazurecredential.md>)]

docs/azure/sdk/includes/assign-roles-identity.md

@@ -0,0 +1,61 @@
+## Assign roles to the managed identity
+
+Next, determine which roles your app needs and assign those roles to the managed identity. You can assign roles to a managed identity at the following scopes:
+
+- **Resource**: The assigned roles only apply to that specific resource.
+- **Resource group**: The assigned roles apply to all resources contained in the resource group.
+- **Subscription**: The assigned roles apply to all resources contained in the subscription.
+
+The following example shows how to assign roles at the resource group scope, since many apps manage all their related Azure resources using a single resource group.
+
+### [Azure portal](#tab/azure-portal)
+
+1. Navigate to the **Overview** page of the resource group that contains the app with the system-assigned managed identity.
+1. Select **Access control (IAM)** on the left navigation.
+1. On the **Access control (IAM)** page, select **+ Add** on the top menu and then choose **Add role assignment** to navigate to the **Add role assignment** page.
+
+    :::image type="content" source="../media/system-assigned-identity-access-control.png" alt-text="A screenshot showing how to access the identity role assignment page.":::
+
+1. The **Add role assignment** page presents a tabbed, multi-step workflow to assign roles to identities. On the initial **Role** tab, use the search box at the top to locate the role you want to assign to the identity.
+1. Select the role from the results and then choose **Next** to move to the **Members** tab.
+1. For the **Assign access to** option, select **Managed identity**.
+1. For the **Members** option, choose **+ Select members** to open the **Select managed identities** panel.
+1. On the **Select managed identities** panel, use the **Subscription** and **Managed identity** dropdowns to filter the search results for your identities. Use the **Select** search box to locate the system-identity you enabled for the Azure resource hosting your app.
+
+    :::image type="content" source="../media/system-assigned-identity-assign-roles.png" alt-text="A screenshot showing the managed identity assignment process.":::
+
+1. Select the identity and choose **Select** at the bottom of the panel to continue.
+1. Select **Review + assign** at the bottom of the page.
+1. On the final **Review + assign** tab, select **Review + assign** to complete the workflow.
+
+### [Azure CLI](#tab/azure-cli)
+
+A managed identity is assigned a role in Azure using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command:
+
+```azurecli
+az role assignment create \
+    --assignee "{principalId}" \
+    --role "{roleName}" \
+    --scope "{scope}"
+```
+
+To get the role names to which a service principal can be assigned, use the [az role definition list](/cli/azure/role/definition#az-role-definition-list) command:
+
+```azurecli
+az role definition list \
+    --query "sort_by([].{roleName:roleName, description:description}, &roleName)" \
+    --output table
+```
+
+For example, to allow the managed identity with the ID of `99999999-9999-9999-9999-999999999999` read, write, and delete access to Azure Storage blob containers and data to all storage accounts in the *msdocs-dotnet-sdk-auth-example* resource group, assign the application service principal to the *Storage Blob Data Contributor* role using the following command:
+
+```azurecli
+az role assignment create \
+    --assignee 99999999-9999-9999-9999-999999999999 \
+    --role "Storage Blob Data Contributor" \
+    --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/msdocs-dotnet-sdk-auth-example"
+```
+
+For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article [Assign Azure roles using the Azure CLI](/azure/role-based-access-control/role-assignments-cli).
+
+---

docs/azure/sdk/includes/managed-identity-concepts.md

@@ -0,0 +1,10 @@
+## Essential managed identity concepts
+
+A managed identity enables your app to securely connect to other Azure resources without the use of secret keys or other application secrets. Internally, Azure tracks the identity and which resources it's allowed to connect to. Azure uses this information to automatically obtain Microsoft Entra tokens for the app to allow it to connect to other Azure resources.
+
+There are two types of managed identities to consider when configuring your hosted app:
+
+- **System-assigned** identities are enabled directly on an Azure resource and are tied to its life cycle. When the resource is deleted, Azure automatically deletes the identity for you. System-assigned identities provide a minimalistic approach to using managed identities.
+- **User-assigned** identities are created as standalone Azure resources and offer greater flexibility and capabilities. They are ideal for solutions involving multiple Azure resources that need to share the same identity and permissions. For example, if multiple virtual machines need to access the same set of Azure resources, a user-assigned managed identity provides reusability and optimized management.
+
+The sections ahead describe the steps to enable and use a user-assigned managed identity for an Azure-hosted app. If you need to use a user-assigned managed identity, visit the [system-assigned managed identities](/system-assigned-identity-auth) article for more information.