Deploy a managed identity with Azure policy

Hi everyone,

Welcome to this new blog post where I will take a look at how to easily deploy managed identities. A managed identity can be used to give Azure resources access to other resource and combine it with RBAC. The benefit of these identities is that the IT admin doesn’t need to maintain a password. More info can be found here. These identities are often needed to enable other Azure services like:

  • Azure Monitor Agent via policy
  • Azure Backup via policy

Of course, it’s possible to deploy these identities together with the virtual machines but it can also be automated with Azure policy. In this blogpost we will take a look at a policy definition that is currently in preview. The IT admin can duplicate the policy to create multiple versions of this policy so multiple managed identities can be deployed.

Let’s take a look how to configure this. Go Azure portal > Policy and search for the policy using the search field

Select the policy and click Assign.

The first selection to make is the Scope of the policy. It’s best to assign this on a management group but it can also be assigned to a subscription. In this example it is scoped on the top level company management group.

Let’s skip the advanced tab and go to the parameters blade. Here the IT admin can specify if he/her uses an existing managed identity. Let’s select the existing user assigned managed identity that will be used for Azure backup.

The remediation tab can be configured to use an existing identity or to create a new one and choose the scope, in this case a subscription.

Let’s review and create 

You will see the following notifications

Be aware that as mentioned in the notifications, that it can takes up to 15min before the policy is processed.

Now that the policy has been assigned, the IT admin can start a remediation task for the already existing resources, otherwise the policy will only have effect on new machines.

When the IT admin creates a new remediation task, the machines that can get the identity will be listed.

The process of the remediation can be followed to make sure that all the machines are done.

To confirm the IT admin can view the deployed user assigned managed identity on the virtual machine.

There you go, the power of Azure policy at work. Using Azure policy is much easier to get all the resources compliant to your organization, create more structure, add security and much more.

Feel free to contact me in case you have any questions by leaving a comment here or to contact me on my socials. Until next time.

Author

  • Johan Vanneuville is a Microsoft MVP for Microsoft Enterprise Mobility from Belgium and he is one of the first expert contributors in this community. Make sure to follow him as he guides us in the world of Azure Virtual Desktop, Infrastructure-as-Code and Terraform!

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *