Managed Identity for Passwordless Auth
Assign a system-assigned managed identity to a VM or App Service, grant it RBAC access to Key Vault and Blob Storage, and eliminate secrets from your application code.
The Problem with Stored Credentials
Traditionally, applications connect to Azure services like Storage or Key Vault using connection strings or API keys that are stored in configuration files or environment variables. These credentials can be accidentally committed to source control, exposed in logs, or stolen in a breach. Managed Identity eliminates the need for applications to store credentials entirely — instead, Azure itself issues and rotates a token on behalf of the resource, and the application simply asks Azure for the current token at runtime.
What Is a Managed Identity?
A Managed Identity is an automatically managed service principal in Microsoft Entra ID that is linked to an Azure resource (such as a VM, App Service, or Function App). The Azure platform creates and maintains the identity's credentials — rotating them regularly — so your code never handles a password or secret. Applications running on the resource call the Azure Instance Metadata Service (IMDS) endpoint at http://169.254.169.254 to obtain a short-lived OAuth token, which they then present to Azure services.
# Get a token from IMDS (runs inside an Azure VM or App Service)
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://storage.azure.com/' \
-H 'Metadata: true'All lessons in this course
- Managed Identity for Passwordless Auth
- Azure Service Bus for Decoupled Messaging
- Azure Container Apps
- End-to-End Developer Workflow