diff --git a/.openpublishing.redirection.azure.json b/.openpublishing.redirection.azure.json index 83f2317823183..60d47caf29900 100644 --- a/.openpublishing.redirection.azure.json +++ b/.openpublishing.redirection.azure.json @@ -127,6 +127,10 @@ { "source_path_from_root": "/docs/azure/sdk/authentication/authentication-best-practices.md", "redirect_url": "/dotnet/azure/sdk/authentication/best-practices" + }, + { + "source_path_from_root": "/docs/azure/sdk/authentication/azure-hosted-apps.md", + "redirect_url": "/docs/azure/sdk/authentication/system-assigned-managed-identity" } ] } diff --git a/docs/azure/TOC.yml b/docs/azure/TOC.yml index 8d7bff74f9f9f..f2def3aec11a7 100644 --- a/docs/azure/TOC.yml +++ b/docs/azure/TOC.yml @@ -66,7 +66,11 @@ - name: Auth using developer accounts href: ./sdk/authentication/local-development-dev-accounts.md - name: Auth from Azure-hosted apps - href: ./sdk/authentication/azure-hosted-apps.md + items: + - name: Use a system-assigned managed identity + href: ./sdk/authentication/system-assigned-managed-identity.md + - name: Use a user-assigned managed identity + href: ./sdk/authentication/user-assigned-managed-identity.md - name: Auth from on-premises apps href: ./sdk/authentication/on-premises-apps.md - name: Auth via configuration files diff --git a/docs/azure/sdk/authentication/azure-hosted-apps.md b/docs/azure/sdk/authentication/system-assigned-managed-identity.md similarity index 78% rename from docs/azure/sdk/authentication/azure-hosted-apps.md rename to docs/azure/sdk/authentication/system-assigned-managed-identity.md index c0d5f4f17938b..21771077555d2 100644 --- a/docs/azure/sdk/authentication/azure-hosted-apps.md +++ b/docs/azure/sdk/authentication/system-assigned-managed-identity.md @@ -1,30 +1,23 @@ --- -title: Authenticate Azure-hosted .NET apps to Azure resources -description: Learn how to authenticate apps to Azure services when hosted in an Azure compute service like Azure App Service, Azure Functions, or Azure Virtual Machines. +title: Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity +description: Learn how to authenticate Azure-hosted .NET apps to other Azure services using a system-assigned managed identity. ms.topic: how-to ms.custom: devx-track-dotnet, engagement-fy23, devx-track-azurecli ms.date: 02/06/2025 --- -# Authenticate Azure-hosted apps to Azure resources with the Azure SDK for .NET +# Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity The recommended approach to authenticate an Azure-hosted app to other Azure resources is to use a [managed identity](/entra/identity/managed-identities-azure-resources/overview). This approach is [supported for most Azure services](/entra/identity/managed-identities-azure-resources/managed-identities-status), including apps hosted on Azure App Service, Azure Container Apps, and Azure Virtual Machines. Discover more about different authentication techniques and approaches on the [authentication overview](/dotnet/azure/sdk/authentication) page. In the sections ahead, you'll learn: - Essential managed identity concepts -- How to create a managed identity for your app -- How to assign roles to the managed identity -- How to authenticate using the managed identity from your app code +- How to create a system-assigned managed identity for your app +- How to assign roles to the system-assigned managed identity +- How to authenticate using the system-assigned managed identity from your app code -## Essential managed identity concepts +[!INCLUDE [managed-identity-concepts](../includes/managed-identity-concepts.md)] -A managed identity enables your app to securely connect to other Azure resources without the use of secret keys or other application secrets. Internally, Azure tracks the identity and which resources it's allowed to connect to. Azure uses this information to automatically obtain Microsoft Entra tokens for the app to allow it to connect to other Azure resources. - -There are two types of managed identities to consider when configuring your hosted app: - -- **System-assigned** identities are enabled directly on an Azure resource and are tied to its life cycle. When the resource is deleted, Azure automatically deletes the identity for you. System-assigned identities provide a minimalistic approach to using managed identities. -- **User-assigned** identities are created as standalone Azure resources and offer greater flexibility and capabilities. They are ideal for solutions involving multiple Azure resources that need to share the same identity and permissions. For example, if multiple virtual machines need to access the same set of Azure resources, a user-assigned managed identity provides reusability and optimized management. - -The sections ahead describe the steps to enable and use a system-assigned managed identity for an Azure-hosted app. If you need to use a user-assigned managed identity, visit the [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) article for more information. +The sections ahead describe the steps to enable and use a system-assigned managed identity for an Azure-hosted app. If you need to use a user-assigned managed identity, visit the [user-assigned managed identities](/dotnet/azure/sdk/authentication/user-assigned-managed-identity) article for more information. ## Enable a system-assigned managed identity on the Azure hosting resource diff --git a/docs/azure/sdk/authentication/user-assigned-managed-identity.md b/docs/azure/sdk/authentication/user-assigned-managed-identity.md new file mode 100644 index 0000000000000..33d7e34520787 --- /dev/null +++ b/docs/azure/sdk/authentication/user-assigned-managed-identity.md @@ -0,0 +1,201 @@ +--- +title: Authenticate Azure-hosted .NET apps to Azure resources using a user-assigned managed identity +description: Learn how to authenticate Azure-hosted .NET apps to other Azure services using a user-assigned managed identity. +ms.topic: how-to +ms.custom: devx-track-dotnet, engagement-fy23, devx-track-azurecli +ms.date: 02/06/2025 +--- + +# Authenticate Azure-hosted .NET apps to Azure resources using a user-assigned managed identity + +The recommended approach to authenticate an Azure-hosted app to other Azure resources is to use a [managed identity](/entra/identity/managed-identities-azure-resources/overview). This approach is [supported for most Azure services](/entra/identity/managed-identities-azure-resources/managed-identities-status), including apps hosted on Azure App Service, Azure Container Apps, and Azure Virtual Machines. Discover more about different authentication techniques and approaches on the [authentication overview](/dotnet/azure/sdk/authentication) page. In the sections ahead, you'll learn: + +- Essential managed identity concepts +- How to create a user-assigned managed identity for your app +- How to assign roles to the user-assigned managed identity +- How to authenticate using the user-assigned managed identity from your app code + +[!INCLUDE [managed-identity-concepts](../includes/managed-identity-concepts.md)] + +The sections ahead describe the steps to enable and use a user-assigned managed identity for an Azure-hosted app. If you need to use a user-assigned managed identity, visit the [system-assigned managed identities](/dotnet/azure/sdk/authentication/system-assigned-managed-identity) article for more information. + +## Create a user-assigned managed identity + +User-assigned managed identities are created as standalone resources in your Azure subscription using the Azure portal or the Azure CLI. Azure CLI commands can be run in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli). + +### [Azure portal](#tab/azure-portal) + +1. In the Azure portal, enter *Managed identities* in the main search bar and select the matching result under the **Services** section. +1. On the **Managed Identities** page, select **+ Create**. + + :::image type="content" source="../media/user-assigned-identity-create.png" alt-text="A screenshot showing the page to manage user-assigned identities."::: + +1. On the **Create User Assigned Managed Identity** page, select a subscription, resource group, and region for the user-assigned managed identity, and then provide a name. +1. Select **Review + create** to review and validate your inputs. + + :::image type="content" source="../media/user-assigned-identity-form.png" alt-text="A screenshot showing the form to create a user-assigned managed identity."::: + +1. Select **Create** to create the user-assigned managed identity. +1. After the identity is created, select **Go to resource**. +1. On the new identity's **Overview** page, copy the **Client ID** value to use for later when you configure the application code. + +### [Azure CLI](#tab/azure-cli) + +Use the Azure CLI command [`az identity create`](/cli/azure/identity?view=azure-cli-latest#az-identity-create) to create a managed identity: + +```azurecli +az identity create \ + --resource-group \ + --name \ + --query 'clientId' \ + --output json +``` + +The command output prints the client ID of the created user-assigned managed identity. The client ID is used to configure application code that relies on the identity. + +You can always view the managed identity properties again using the [`az identity show`](/cli/azure/identity?view=azure-cli-latest#az-identity-show) command: + +```azurecli +az identity show \ + --resource-group \ + --name \ + --output json +``` + +--- + +## Assign the managed identity to your app + +A user-assigned managed identity can be associated with one or more Azure resources. All of the resources that use that identity gain the permissions applied through the identity's roles. + +### [Azure portal](#tab/azure-portal) + +1. In the Azure portal, navigate to the resource that hosts your app code, such as an Azure App Service or Azure Container App instance. +1. From the resource's **Overview** page, expand **Settings** and select **Identity** from the navigation. +1. On the **Identity** page, switch to the **User assigned** tab. +1. Select **+ Add** to open the **Add user assigned managed identity** panel. +1. On the **Add user assigned managed identity** panel, use the **Subscription** dropdown to filter the search results for your identities. Use the **User assigned managed identities** search box to locate the user-assigned managed identity you enabled for the Azure resource hosting your app. +1. Select the identity and choose **Add** at the bottom of the panel to continue. + + :::image type="content" source="../media/add-user-assigned-identity-to-app.png" alt-text="A screenshot showing how to associate a user-assigned identity with an app."::: + +### [Azure CLI](#tab/azure-cli) + +The Azure CLI provides different commands to assign a user-assigned managed identity to different types of hosting services. + +To assign a user-assigned managed identity to a resource such as an Azure App Service web app using the Azure CLI, you'll need the resource ID of the identity. Use the [`az identity show`](/cli/azure/identity?view=azure-cli-latest#az-identity-show) command to retrieve the resource ID: + +```azurecli +az identity show \ + --resource-group \ + --name \ + --output json \ + --query id +``` + +Once you have the resource ID, use the Azure CLI command `az identity assign` command to associate the user-assigned managed identity with different resources, such as the following: + +For Azure App Service, use the Azure CLI command [`az webapp identity assign`](/cli/azure/webapp/identity?view=azure-cli-latest#az-webapp-identity-assign): + +```azurecli +az webapp identity assign \ + --resource-group \ + --name \ + --identities +``` + +For Azure Container Apps, use the Azure CLI command [`az containerapp identity assign`](/cli/azure/containerapp/identity?view=azure-cli-latest#az-containerapp-identity-assign): + +```azurecli +az containerapp identity assign \ + --resource-group \ + --name \ + --identities +``` + +For Azure Virtual Machines, use the Azure CLI command [`az vm identity assign`](/cli/azure/vm/identity?view=azure-cli-latest#az-vm-identity-assign): + +```azurecli +az vm identity assign \ + --resource-group \ + --name \ + --identities +``` + +--- + +## Assign roles to the managed identity + +Next, determine which roles your app needs and assign those roles to the managed identity. You can assign roles to a managed identity at the following scopes: + +- **Resource**: The assigned roles only apply to that specific resource. +- **Resource group**: The assigned roles apply to all resources contained in the resource group. +- **Subscription**: The assigned roles apply to all resources contained in the subscription. + +The following example shows how to assign roles at the resource group scope, since many apps manage all their related Azure resources using a single resource group. + +### [Azure portal](#tab/azure-portal) + +1. Navigate to the **Overview** page of the resource group that contains the app with the user-assigned managed identity. +1. Select **Access control (IAM)** on the left navigation. +1. On the **Access control (IAM)** page, select **+ Add** on the top menu and then choose **Add role assignment** to navigate to the **Add role assignment** page. + + :::image type="content" source="../media/add-role-assignment.png" alt-text="A screenshot showing how to access the identity role assignment page."::: + +1. The **Add role assignment** page presents a tabbed, multi-step workflow to assign roles to identities. On the initial **Role** tab, use the search box at the top to locate the role you want to assign to the identity. +1. Select the role from the results and then choose **Next** to move to the **Members** tab. +1. For the **Assign access to** option, select **Managed identity**. +1. For the **Members** option, choose **+ Select members** to open the **Select managed identities** panel. +1. On the **Select managed identities** panel, use the **Subscription** and **Managed identity** dropdowns to filter the search results for your identities. Use the **Select** search box to locate the user-assigned managed identity you enabled for the Azure resource hosting your app. + + :::image type="content" source="../media/user-assigned-identity-assign-roles.png" alt-text="A screenshot showing the managed identity assignment process."::: + +1. Select the identity and choose **Select** at the bottom of the panel to continue. +1. Select **Review + assign** at the bottom of the page. +1. On the final **Review + assign** tab, select **Review + assign** to complete the workflow. + +### [Azure CLI](#tab/azure-cli) + +To assign a role to a user-assigned managed identity using the Azure CLI, you'll need the principal ID of the identity. Use the `az identity show` command to retrieve the resource ID: + +```azurecli +az identity show \ + --resource-group \ + --name \ + --output json \ + --query principalId +``` + +Assign a role to a managed identity using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command: + +```azurecli +az role assignment create \ + --assignee \ + --role \ + --scope +``` + +To explore which roles a managed identity can be assigned, use the [az role definition list](/cli/azure/role/definition#az-role-definition-list) command: + +```azurecli +az role definition list \ + --query "sort_by([].{roleName:roleName, description:description}, &roleName)" \ + --output table +``` + +For example, to allow the managed identity with the ID of `99999999-9999-9999-9999-999999999999` read, write, and delete access to Azure Storage blob containers and data to all storage accounts in the *msdocs-dotnet-sdk-auth-example* resource group, assign the application service principal to the *Storage Blob Data Contributor* role using the following command: + +```azurecli +az role assignment create \ + --assignee 99999999-9999-9999-9999-999999999999 \ + --role "Storage Blob Data Contributor" \ + --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/msdocs-dotnet-sdk-auth-example" +``` + +For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article [Assign Azure roles using the Azure CLI](/azure/role-based-access-control/role-assignments-cli). + +--- + +## Implement DefaultAzureCredential in your application + +[!INCLUDE [Implement DefaultAzureCredential](<../includes/implement-user-assigned-identity.md>)] diff --git a/docs/azure/sdk/includes/implement-user-assigned-identity.md b/docs/azure/sdk/includes/implement-user-assigned-identity.md new file mode 100644 index 0000000000000..9b5b5058a0d78 --- /dev/null +++ b/docs/azure/sdk/includes/implement-user-assigned-identity.md @@ -0,0 +1,69 @@ +--- +ms.topic: include +ms.date: 08/15/2024 +--- +[DefaultAzureCredential](../authentication/credential-chains.md#defaultazurecredential-overview) is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the [TokenCredential](/dotnet/api/azure.core.tokencredential?view=azure-dotnet&preserve-view=true) class and is known as a *credential*. At runtime, `DefaultAzureCredential` attempts to authenticate using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code. + +To use `DefaultAzureCredential`, add the [Azure.Identity](/dotnet/api/azure.identity) and optionally the [Microsoft.Extensions.Azure](/dotnet/api/microsoft.extensions.azure) packages to your application: + +### [Command Line](#tab/command-line) + +In a terminal of your choice, navigate to the application project directory and run the following commands: + +```dotnetcli +dotnet add package Azure.Identity +dotnet add package Microsoft.Extensions.Azure +``` + +### [NuGet Package Manager](#tab/nuget-package) + +Right-click your project in Visual Studio's **Solution Explorer** window and select **Manage NuGet Packages**. Search for **Azure.Identity**, and install the matching package. Repeat this process for the **Microsoft.Extensions.Azure** package. + +:::image type="content" source="../media/nuget-azure-identity.png" alt-text="Install a package using the package manager."::: + +--- + +Azure services are accessed using specialized client classes from the various Azure SDK client libraries. These classes and your own custom services should be registered so they can be accessed via dependency injection throughout your app. In `Program.cs`, complete the following steps to register a client class and `DefaultAzureCredential`: + +1. Include the `Azure.Identity` and `Microsoft.Extensions.Azure` namespaces via `using` directives. +1. Register the Azure service client using the corresponding `Add`-prefixed extension method. +1. Pass an instance of `DefaultAzureCredential` to the `UseCredential` method. + +> [!NOTE] +> For a user-assigned managed identity, make sure to assign the identity's `clientId` value to the `ManagedIdentityClientId` property on the `DefaultAzureCredentialOptions` object. This enables your code to discover the correct identity to use for authentication while running in azure. + +For example: + +```c# +using Microsoft.Extensions.Azure; +using Azure.Identity; + +builder.Services.AddAzureClients(clientBuilder => +{ + clientBuilder.AddBlobServiceClient( + new Uri("https://.blob.core.windows.net")); + clientBuilder.UseCredential(new DefaultAzureCredential( + new DefaultAzureCredentialOptions() + { + ManagedIdentityClientId = "" + })); +}); +``` + +An alternative to `UseCredential` is to instantiate `DefaultAzureCredential` directly: + +```c# +using Azure.Identity; + +builder.Services.AddSingleton(_ => + new BlobServiceClient( + new Uri("https://.blob.core.windows.net"), + new DefaultAzureCredential(new DefaultAzureCredentialOptions() + { + ManagedIdentityClientId = "" + }))); +``` + +When the preceding code runs on your local development workstation, `DefaultAzureCredential` looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. Either approach can be used to authenticate the app to Azure resources during local development. + +When deployed to Azure, this same code can also authenticate your app to other Azure resources. `DefaultAzureCredential` can retrieve environment settings and managed identity configurations to authenticate to other services automatically. diff --git a/docs/azure/sdk/includes/managed-identity-concepts.md b/docs/azure/sdk/includes/managed-identity-concepts.md new file mode 100644 index 0000000000000..cf0a596178290 --- /dev/null +++ b/docs/azure/sdk/includes/managed-identity-concepts.md @@ -0,0 +1,11 @@ +## Essential managed identity concepts + +A managed identity enables your app to securely connect to other Azure resources without the use of secret keys or other application secrets. Internally, Azure tracks the identity and which resources it's allowed to connect to. Azure uses this information to automatically obtain Microsoft Entra tokens for the app to allow it to connect to other Azure resources. + +There are two types of managed identities to consider when configuring your hosted app: + +- **System-assigned** managed identities are enabled directly on an Azure resource and are tied to its life cycle. When the resource is deleted, Azure automatically deletes the identity for you. System-assigned identities provide a minimalistic approach to using managed identities. +- **User-assigned** managed identities are created as standalone Azure resources and offer greater flexibility and capabilities. They're ideal for solutions involving multiple Azure resources that need to share the same identity and permissions. For example, if multiple virtual machines need to access the same set of Azure resources, a user-assigned managed identity provides reusability and optimized management. + +> [!TIP] +> Learn more about selecting and managing system-assigned managed identities and user-assigned managed identities in the [Managed identity best practice recommendations](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations) article. diff --git a/docs/azure/sdk/includes/sdk-auth-overview-managed-identity.md b/docs/azure/sdk/includes/sdk-auth-overview-managed-identity.md index 190af968ae58e..cef0e11aa64ec 100644 --- a/docs/azure/sdk/includes/sdk-auth-overview-managed-identity.md +++ b/docs/azure/sdk/includes/sdk-auth-overview-managed-identity.md @@ -3,4 +3,4 @@ Apps hosted in Azure should use a **Managed Identity service principal**. Manage For example, a .NET web app hosted in Azure App Service would be assigned a Managed Identity. The Managed Identity assigned to the app would then be used to authenticate the app to other Azure services.

> [!div class="nextstepaction"] -> [Learn about auth from Azure-hosted apps](../authentication/azure-hosted-apps.md) +> [Learn about auth from Azure-hosted apps](../authentication/index.md) diff --git a/docs/azure/sdk/media/add-role-assignment.png b/docs/azure/sdk/media/add-role-assignment.png new file mode 100644 index 0000000000000..702c5ec7d9c23 Binary files /dev/null and b/docs/azure/sdk/media/add-role-assignment.png differ diff --git a/docs/azure/sdk/media/add-user-assigned-identity-to-app.png b/docs/azure/sdk/media/add-user-assigned-identity-to-app.png new file mode 100644 index 0000000000000..b46ed38c9b590 Binary files /dev/null and b/docs/azure/sdk/media/add-user-assigned-identity-to-app.png differ diff --git a/docs/azure/sdk/media/user-assigned-identity-assign-roles.png b/docs/azure/sdk/media/user-assigned-identity-assign-roles.png new file mode 100644 index 0000000000000..c1df4617ba847 Binary files /dev/null and b/docs/azure/sdk/media/user-assigned-identity-assign-roles.png differ diff --git a/docs/azure/sdk/media/user-assigned-identity-create.png b/docs/azure/sdk/media/user-assigned-identity-create.png new file mode 100644 index 0000000000000..eeff0f99f86d0 Binary files /dev/null and b/docs/azure/sdk/media/user-assigned-identity-create.png differ diff --git a/docs/azure/sdk/media/user-assigned-identity-form.png b/docs/azure/sdk/media/user-assigned-identity-form.png new file mode 100644 index 0000000000000..c34459df23f87 Binary files /dev/null and b/docs/azure/sdk/media/user-assigned-identity-form.png differ