Hey dears! A quick clarification on the video. For Virtual Machines Managed Identity endpoint is actually running outside of VM and is called IMDS (Azure Instance Metadata service). Old endpoint was located at localhost docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-net-linux-virtual-machine?WT.mc_id=AZ-MVP-5003556 but it was deprated in January 2019. This endpoint is only accessible from within a VM though. My bad here on putting it inside of VM box, it was supposed to be logical not physical boundary. But I was pointed out I said running locally during the video. Thanks Gregory S. for pointing this out.
watching this video 15 Dec 2022 api-version is still 7.0 On Azure Data Factory, UI was changed. Go to Manage tab of the left panel -> Linked Services. There is no shortcut for the adding access policy, but we added it previously, it's not needed. When add role assignment in storage account, after you chose the role go next to Members, select Assign access to Managed identity and select your subscription, then data factory and your ADF name
@AdamMarczakYT In the last demo of this video @27:21 we are able to get the connection string. As far as I understand one of the reason for using Managed Identity is to discourage sharing/disclosing connection string directly with the developers. Now using this connection string, anyone can get access to the restricted resources. Am I missing anything here 🤔?
Not only that your videos are very practical, I really like how you explain various concepts, in this case, how you compared three authentication methods in such a clear way. Splendid work, as always, Adam :)
Hey Adam, Really I enjoy your every video. I think that your 30 minutes video are more worthful than Pluralsight / Udemy 3 hrs courses. I have one request , Can you create some video on Docker/ AKS
what if I want to use a user assigned managed identity to connect to Azure Databricks workspace? How am I supposed to get the bearer token for the workspace using this MI? I am planning to do it via external methods like python or powershell, but unable to find any resources. Could you please advise?
Your content is awesome, I would just like to ask you to add chapters on your videos, it really helps to go back to specific chapters without searching for them manually, your first video had chapters.
That's a good idea! I already have chapters in the new videos once I realized UA-cam supports these, might go back to update them for previous videos :)
Is it posible to using Managed identities for Microsoft Flow connectors authentication? For example Connector to O365 Outlook for sending email by Flow or Sharepoint Connector to accessing data in SHP? I have tested "service principal" in Power Automate/Flow, but is not posible for sending email or SHP access(only for other some connectors). Maybe Managed Identity can, but any instruction for Flow.
Hello Adam, I have a question. For example, let's say I have a Console application that runs on premise under a service account. Can I create the service account in Azure and assign managed identity to it? Then connect to key vault using that service account from on prem?
So we are investigating implementing a similar azure AD application proxy ...IE initial user authentication and then acting as a reverse proxy to the internal web applications We see this as a requirement to securely allow our employees to access selected internal applications from their own devices from external (internet) So could you assist please with guidance on how this can be achieved? Also how we can enable/implement sms and email?
Thank you Adam, i enjoy all your videos. I have a quick question for you do you do private tutorial? if yes can you share your email and i will contact you. Thanks
Hi Adam, I saw many of your videos, thanks for putting great efforts on your videos, each videos provided very good understanding of azure service along with practical knowledge, I learned a lot from these.
how to copy data from vm to storage account using system managed identities?regularly on daily basis without getting authentication for copying manually.
Adam, I must say you have a super brain to explain such complex Azure feature within just 30 mins and plenty of demos and scenarios. Great work again... Please keep it up... Hope you and your family is safe in whichever geography you live in during current COVID-19 pandemic. Thanks buddy. Love your Azure videos.
Nice video Adam, How can we use the managed identities by using logic apps as a target resource Windows defender ATP as this is not the service of Azure. Thanks.
Hi, unfortunately I don't know. I'm not windows defender specialist. I would assume not if it's not protected by Azure AD since managed identities come from azure ad. thanks for watching :)
I try to watch other channels, but Adam's way of teaching is unique, is so much cool the way and the time he spends doing such great material. It's incomparable
I am kind of loving your videos a lot. Every time I want to learn some Azure topic, I just hope you would have one already created on that topic :) Great work. Love your simplicity. Just a suggestion - From next time if you can show the demo using GUI (like creating a project, downloading Microsoft packages, etc.) that would be a great help for someone who doesn't have programming knowledge. Thanks a lot again!
Nice video Adam, How can we use the managed identities with function app for accessing Storage Account securely? Can you point me in the right direction in this scenario.
Not using bindings yet :( github.com/Azure/azure-functions-host/issues/6423 but you can try this docs.microsoft.com/en-us/samples/azure-samples/functions-storage-managed-identity/using-managed-identity-between-azure-functions-and-azure-storage/?WT.mc_id=AZ-MVP-5003556
Thanks for the amazing tutorial, Adam. I like your videos that you cover az-900 and Active Directory. Your teaching methods are excellent to understand how the services are working on azure. I like all your videos. Please create a more videos on AZ-104..
@adam Marczak -- This is the comprehensive lesson of managed identity, you have touched all the topics that I need clarifications with. Wonderful lesson, and thanks for all you have done!!
Of'course. Entire point of managed identity is for service to service communication. Whole video talks about it and all demos are showing service to service communication. In this service A is the one you developed and service B is Microsoft Azure services. But nothing stops you from building service B as well.
No good end to end guides that I found. I think the topic is too long for simple tutorial. Best is to follow this video and then check the MS guides on how to generate token using managed identity and send it with HTTP request. Then separately check guides on how to secure API endpoint with Azure AD authentication. Combine the two to get full picture.
You mean for Key Vault? Key Vault now supports two ways to authorize. Either via Access Policies or via Access Control (RBAC roles). RBAC roles are still in preview though. :)
Hi Adam, I tried following you on logic apps to perform https request and datafactory connections. however those options are not in azure anymore. hope you tell us why? I'm assuming they automate it already or changed its name?
While there's been upgrade in the Key Vault permissions since this video, much of it still makes perfect sense. This was a good overview, Adam! indeed it helped better understand it. Thank you so much.
Hi Adam, thanks so much for the video. Could you advise if it is necessary to use managed identity with key vault, or does managed identity render key vault useless within the same architecture? Thanks!
I am a beginner of Azure from Hong Kong, I have been finding a video like this one for a long time, it's straight to the point, within 30 mins you resolved all my questions already. Thank you so much Adam. Plesae keep up your good work.
It depends on who deploys this. If you deploy this from your account then you need to have KV permissions, if you deploy from VM using Managed Identity then the same principle applies. Read more here docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault?WT.mc_id=AZ-MVP-5003556
I am running into problems on how to set the Office 365 side after setting up Data Factory, not using key vault, just Service Principal Key with Sharepoint connector. I have not see any blogs or videos on this. I was just wondering if it can be done. Great content and presentation on all your videos. Thanks!
Hey, did you go through MS guide on SharePoint connector? It's available in the documentation, just google it. They explain very nicely what you need to do in terms of permission setup. Thanks for tuning in.
Great tutorial but how to get MSI_ENDPOINT and MSI_SECRET? i want to get the AZ AD token via MSI for my web app using Nodejs, can anyone help me achieve it?
For VM yes since it's running on 169.254.169.254 which suggest IP within the same network. Also probably some of PaaS services work this way too, but I don't think it's publicly stated how they work with MI behind the scenes. On the other hand App Service it's on 127.0. 0.1 suggesting locally running service. In the end, you are right, I changed my example from app service to VM example so I should have moved it out of the 'Virtual Machine' box, although it was meant to be more logical rather than physical, my fault, shouldn't have done that in retrospective. Cheers! I pinned clarification comment under the video, thanks.
ADF does not support user assigned identities check this document to check which services do support it docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-data-factory-v2?WT.mc_id=AZ-MVP-5003556
Hi Adam, great explanation. I would like to know if I could implement security in the same way explained in video where service A is hosted in non Azure environment and Services B is Azure function http trigger .
You can utilize Managed Identities and connect to a keyvault (if that's what you choose to do) from an external service trying to access a resource within Azure by utilizing Azure Arc. Azure Arc "registers" external to Azure services/resources and can assign an identity to that, to which then you can use similar to an Azure based resource/service. You will have to run a powershell script (which Azure typically supplies to you) on that external service/resource for Azure to properly register it. An example would be a SQL Server instance running on an EC2 in AWS.
Hi Adam, do you know if there is any way to use managed identities accross different tenants? I have only been able to do this using an App registered for multi-tenant use, it seems managed identites can be used only within a single tenant
Hi Adam.. this was really helpful and very easy to understand! Just obe question from my end - the logic app was able to retrieve the connection to storage account from key vault. Can you please guide me with the step to then connect to the storage account with that connection string and read the file in the storage account?
Nope, Managed Identities don’t support that. Feel free to check FAQ for official statement docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues?WT.mc_id=AZ-MVP-5003556
Make HTTP call on this REST endpoint. Similarly to JavaScript or PowerShell docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=powershell&WT.mc_id=AZ-MVP-5003556#rest-protocol-examples
@@AdamMarczakYT Thanks for the prompt response. I'm able to get the access token and am making requests to the app configuration API: docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value#list-key-values // App configuration uri resource=".azconfig.io" // Get access token access_token="$(curl -s -H Metadata:true \ "169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=${resource}" | \ jq -r ".access_token")" // Get app config using access token config="$(curl --silent --get \ --header "Authorization: Bearer ${access_token}" \ "${resource}/kv?api-version=1.0")" Unfortunately config is always empty here. Am I missing something?
Without diving deeper, your code looks more or less OK. If you get 200 success response from the last CURL then I'd try different endpoints as per docs docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value?WT.mc_id=AZ-MVP-5003556 maybe this /kv?label=*&api-version={api-version} anyways it should work so you are very close, good luck!
Very good tutorial! Thanks alot! Do you know a way to secure the storage account automatically created when creating a function app so that it uses managed identity instead of shared access keys?
Good question Robert, unfortunately last time I checked Managed Identity is not yet supported for WebJobs storage github.com/Azure/azure-webjobs-sdk/issues/2366
@@AdamMarczakYT Thanks Adam, there are several issues with the security of the webjob storage account as it doesn't support activating the storage account firewall. The only way to secure the account is to put it in a VNET but then you loose the serverless option as you need to go with premium SKU . Hope they will fix these issues soon.
Top class explanation. Easy to understand if you are just getting started with Azure🌟
Hey dears! A quick clarification on the video.
For Virtual Machines Managed Identity endpoint is actually running outside of VM and is called IMDS (Azure Instance Metadata service). Old endpoint was located at localhost docs.microsoft.com/en-us/azure/key-vault/secrets/tutorial-net-linux-virtual-machine?WT.mc_id=AZ-MVP-5003556 but it was deprated in January 2019. This endpoint is only accessible from within a VM though. My bad here on putting it inside of VM box, it was supposed to be logical not physical boundary. But I was pointed out I said running locally during the video. Thanks Gregory S. for pointing this out.
I'm watching it a year later -> still good ;-)
THX
watching this video 15 Dec 2022
api-version is still 7.0
On Azure Data Factory, UI was changed. Go to Manage tab of the left panel -> Linked Services. There is no shortcut for the adding access policy, but we added it previously, it's not needed.
When add role assignment in storage account, after you chose the role go next to Members, select Assign access to Managed identity and select your subscription, then data factory and your ADF name
@AdamMarczakYT In the last demo of this video @27:21 we are able to get the connection string. As far as I understand one of the reason for using Managed Identity is to discourage sharing/disclosing connection string directly with the developers. Now using this connection string, anyone can get access to the restricted resources. Am I missing anything here 🤔?
Thanks Adam Nice
No problem!
Not only that your videos are very practical, I really like how you explain various concepts, in this case, how you compared three authentication methods in such a clear way. Splendid work, as always, Adam :)
Awesome! Thanks David, I appreciate it 😊
Hey Adam,
Really I enjoy your every video. I think that your 30 minutes video are more worthful than Pluralsight / Udemy 3 hrs courses.
I have one request , Can you create some video on Docker/ AKS
Wow, thanks! I appreciate that. Container tutorials are a possibility in the future :)
Thanks for the amazing tutorial, Adam. I like the fact that you cover the concepts along with practicals and its hugely helps the learners,
You're very welcome!
Oh man, I learned more in 30 minutes from this than in 3 weeks of trying to navigate the Azure docs. Great explanations and demos! ❤
what if I want to use a user assigned managed identity to connect to Azure Databricks workspace? How am I supposed to get the bearer token for the workspace using this MI? I am planning to do it via external methods like python or powershell, but unable to find any resources. Could you please advise?
I LOVE the diagrams. Those aid my understanding greatly! Also, the simplicity and clarity of your thoughts is priceless.
Glad it was helpful Joe!
Your content is awesome, I would just like to ask you to add chapters on your videos, it really helps to go back to specific chapters without searching for them manually, your first video had chapters.
That's a good idea! I already have chapters in the new videos once I realized UA-cam supports these, might go back to update them for previous videos :)
Is it posible to using Managed identities for Microsoft Flow connectors authentication? For example Connector to O365 Outlook for sending email by Flow or Sharepoint Connector to accessing data in SHP? I have tested "service principal" in Power Automate/Flow, but is not posible for sending email or SHP access(only for other some connectors). Maybe Managed Identity can, but any instruction for Flow.
Thanks Adam for wonderfull videos
Glad you like them!
Hello Adam, I have a question. For example, let's say I have a Console application that runs on premise under a service account. Can I create the service account in Azure and assign managed identity to it? Then connect to key vault using that service account from on prem?
So we are investigating implementing a similar azure AD application proxy ...IE initial user authentication and then acting as a reverse proxy to the internal web applications
We see this as a requirement to securely allow our employees to access selected internal applications from their own devices from external (internet)
So could you assist please with guidance on how this can be achieved?
Also how we can enable/implement sms and email?
Thank you Adam, i enjoy all your videos. I have a quick question for you do you do private tutorial? if yes can you share your email and i will contact you. Thanks
Thanks Peter. Unfortunately I don't provide private sessions at this time due to lack of time, but thanks for asking!
Keep posting more videos on Azure AD server
More to come!
Adam, its a great work. Can anyone help me regarding this doubt. My doubt is can we use managed identity with notification hub.
Hi Adam, I saw many of your videos, thanks for putting great efforts on your videos, each videos provided very good understanding of azure service along with practical knowledge, I learned a lot from these.
Great to hear that mate :)
how to copy data from vm to storage account using system managed identities?regularly on daily basis without getting authentication for copying manually.
Hey Adam, nice explanation and to the point. One question, can we add identity object id at key level?
thank you.. very nice videos, helped me a lot with AZ900.
HI Adam, explanation is very good , short and clean. Hoping i will go through remaining all your videos.
Glad you like them!
superb explanation pls upload eventgrid with angular application example
interesting idea, noted! Thank you :)
Adam, I must say you have a super brain to explain such complex Azure feature within just 30 mins and plenty of demos and scenarios. Great work again... Please keep it up... Hope you and your family is safe in whichever geography you live in during current COVID-19 pandemic. Thanks buddy. Love your Azure videos.
Wow, thanks! You too, stay safe! :)
I agree, For a 30mins Video Tutorial like this definitely a "Super Brain"
that was very helpful. Thank you very much!
Nice video Adam, How can we use the managed identities by using logic apps as a target resource Windows defender ATP as this is not the service of Azure. Thanks.
Hi, unfortunately I don't know. I'm not windows defender specialist. I would assume not if it's not protected by Azure AD since managed identities come from azure ad. thanks for watching :)
A big thank you Adam for your detailed explanation and demonstration of Managed Identity, better than any other videos on UA-cam!
Glad it was helpful!
I try to watch other channels, but Adam's way of teaching is unique, is so much cool the way and the time he spends doing such great material. It's incomparable
hey, Where can I find that script, to run on the the app service , to check the access token
Every video comes with samples available on GitHub. Link to relevant repository is always in the video description :) Thanks for watching!
Such a great content. You have used every second effectively. Thank you 😊
Happy to hear that!
Hi adam ! I am looking az 204 series from you
very cool explanation! thanks!
Thsnk Adam! I finally understood!!
Awesome, thanks!
Thanks a lot for all your amazing videos.
Glad you like them!
I am kind of loving your videos a lot. Every time I want to learn some Azure topic, I just hope you would have one already created on that topic :) Great work. Love your simplicity.
Just a suggestion - From next time if you can show the demo using GUI (like creating a project, downloading Microsoft packages, etc.) that would be a great help for someone who doesn't have programming knowledge. Thanks a lot again!
Great suggestion! Thanks for watching!
Nice video Adam, How can we use the managed identities with function app for accessing Storage Account securely? Can you point me in the right direction in this scenario.
Not using bindings yet :( github.com/Azure/azure-functions-host/issues/6423 but you can try this docs.microsoft.com/en-us/samples/azure-samples/functions-storage-managed-identity/using-managed-identity-between-azure-functions-and-azure-storage/?WT.mc_id=AZ-MVP-5003556
@@AdamMarczakYT thanks for the input
Great Video as always!
Thanks a lot Man
Great tutorial....just need a little more details about...OpenID/MI Endpoint, please if possible provide some links
Thanks for the amazing tutorial, Adam. I like your videos that you cover az-900 and Active Directory. Your teaching methods are excellent to understand how the services are working on azure. I like all your videos. Please create a more videos on AZ-104..
Your videos are amazing! You explain everything so clear. In my view that means you have a prefect understanding of what you are doing. Great!!!!
as always it was great explanation, thanks for sharing
My pleasure!
@adam Marczak -- This is the comprehensive lesson of managed identity, you have touched all the topics that I need clarifications with. Wonderful lesson, and thanks for all you have done!!
Thanks Adam for explaining Managed Identity with Practical examples. That really helps.
in first demo, why do we not to need to get token from azure ad ?
Great video. You make learning Azure fun!
Glad you think so!
in 7:13 why did you not copy the whole string?
I was searching for local development settings and Managed Identity a couple of months ago. This is awesome. Thank you Adam 💙
Is it possible to use Managed Identity for service to service authentication (app service A calls app service B)?
Of'course. Entire point of managed identity is for service to service communication. Whole video talks about it and all demos are showing service to service communication. In this service A is the one you developed and service B is Microsoft Azure services. But nothing stops you from building service B as well.
@@AdamMarczakYT Is there some sample code for web app to web app authentication?
No good end to end guides that I found. I think the topic is too long for simple tutorial. Best is to follow this video and then check the MS guides on how to generate token using managed identity and send it with HTTP request. Then separately check guides on how to secure API endpoint with Azure AD authentication. Combine the two to get full picture.
A great way to present this information. I will surely become a fan of your channel quickly. Thanks again for the great video.
Amazing! I was searching how Azure key vault working with ADF and your video explained it all and more. Thank you!
hi
Adam Marczak, Has Microsoft moved the feature "Access Policy" under "Access Control (IAM)" feature to assign System or User Assigned Identity?
You mean for Key Vault? Key Vault now supports two ways to authorize. Either via Access Policies or via Access Control (RBAC roles). RBAC roles are still in preview though. :)
Wow Adam!! This is really very helpful!! Thanks a lot for this amazing video 😊
Hi Adam, I tried following you on logic apps to perform https request and datafactory connections. however those options are not in azure anymore. hope you tell us why? I'm assuming they automate it already or changed its name?
While there's been upgrade in the Key Vault permissions since this video, much of it still makes perfect sense. This was a good overview, Adam! indeed it helped better understand it. Thank you so much.
Hi Adam, thanks so much for the video. Could you advise if it is necessary to use managed identity with key vault, or does managed identity render key vault useless within the same architecture? Thanks!
Amazing work, Thank you, Adam!
My pleasure!
Very well explained. It will clear the conception of azure identity.
Excellent and pedagogical video - many thanks!
Can this be used with SSRS?
I am a beginner of Azure from Hong Kong, I have been finding a video like this one for a long time, it's straight to the point, within 30 mins you resolved all my questions already. Thank you so much Adam. Plesae keep up your good work.
How can I check whether Managed identity has been used in our web app in Azure? Can you please tell me?
Maybe Azure AD audit logs?
Nice. Can we have one video on the difference between managed identity and service principal?
U r cool , but not azure :)
Excellent.
Thank you! Cheers!
really so informative
Best video on Managed Identities!
Thanks!! :D
Great video Adam, thanks for all the effort that goes into it.
Would you need a managed identity for ARM so you can to refer to key vault?
It depends on who deploys this. If you deploy this from your account then you need to have KV permissions, if you deploy from VM using Managed Identity then the same principle applies.
Read more here docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault?WT.mc_id=AZ-MVP-5003556
Good explanation !
Your presentation and animation is the best i have seen.
I am running into problems on how to set the Office 365 side after setting up Data Factory, not using key vault, just Service Principal Key with Sharepoint connector. I have not see any blogs or videos on this. I was just wondering if it can be done. Great content and presentation on all your videos. Thanks!
Hey, did you go through MS guide on SharePoint connector? It's available in the documentation, just google it. They explain very nicely what you need to do in terms of permission setup. Thanks for tuning in.
@@AdamMarczakYT Thanks Adam, I really appreciate it.
Great tutorial but how to get MSI_ENDPOINT and MSI_SECRET? i want to get the AZ AD token via MSI for my web app using Nodejs, can anyone help me achieve it?
They are available as environment variables, so use process.env to get them.
There is no webserver running on machine for metadata store. It's webservice running in Azure but only accessible by non-routable IP address.
For VM yes since it's running on 169.254.169.254 which suggest IP within the same network. Also probably some of PaaS services work this way too, but I don't think it's publicly stated how they work with MI behind the scenes. On the other hand App Service it's on 127.0. 0.1 suggesting locally running service. In the end, you are right, I changed my example from app service to VM example so I should have moved it out of the 'Virtual Machine' box, although it was meant to be more logical rather than physical, my fault, shouldn't have done that in retrospective. Cheers! I pinned clarification comment under the video, thanks.
Loved the tutorial. Great clarity.
How do we use User assigned Identities for resources which have Managed Identities by default like ADF?
ADF does not support user assigned identities check this document to check which services do support it docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-data-factory-v2?WT.mc_id=AZ-MVP-5003556
Hi Adam, great explanation. I would like to know if I could implement security in the same way explained in video where service A is hosted in non Azure environment and Services B is Azure function http trigger .
You can utilize Managed Identities and connect to a keyvault (if that's what you choose to do) from an external service trying to access a resource within Azure by utilizing Azure Arc. Azure Arc "registers" external to Azure services/resources and can assign an identity to that, to which then you can use similar to an Azure based resource/service. You will have to run a powershell script (which Azure typically supplies to you) on that external service/resource for Azure to properly register it. An example would be a SQL Server instance running on an EC2 in AWS.
Hi Adam, do you know if there is any way to use managed identities accross different tenants? I have only been able to do this using an App registered for multi-tenant use, it seems managed identites can be used only within a single tenant
Managed Identities are not designed for multi-tenant scenarios. Service Principal /App is currently the only way.
@@AdamMarczakYT thanks for anwering and for all your amazing videos 😊
Hi Adam.. this was really helpful and very easy to understand! Just obe question from my end - the logic app was able to retrieve the connection to storage account from key vault. Can you please guide me with the step to then connect to the storage account with that connection string and read the file in the storage account?
Hey, check out my Logic Apps tutorial video. It shows how to connect to blob storage from Logic App.
Thanks!
Thanks Adam for sharing the detailed explanation, very helpful.
My pleasure!
hi how can i leverage the managed identity when my resource is in another tenant and my azure AD is in separate tenant?
Nope, Managed Identities don’t support that. Feel free to check FAQ for official statement docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues?WT.mc_id=AZ-MVP-5003556
Great tutorial as usual, Adam. Please what do you use for your architectural diagrams?
Just like a true architect I use PowerPoint :D Thanks for watching!
Great Tutorial as always. Please make videos on Azure Networking too.
Thanks, will do!
Thanks Adam. Awesome video. Clearly explained.
My pleasure!
liked the video before watching it !!! Brother, you have my respect \,\,
I appreciate that! That is a big trust and I hope it pays off! Thanks again!
thanks, this is a great video, ur git repo is very useful for study
Glad you think so!
Did I say this guy is awesome? - Your videos are helpful, thank you.
You are very kind! Thank you :)
How to use managed identity when using PHP which doesn't have an Azure SDK?
Make HTTP call on this REST endpoint. Similarly to JavaScript or PowerShell docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=powershell&WT.mc_id=AZ-MVP-5003556#rest-protocol-examples
@@AdamMarczakYT Thanks for the prompt response. I'm able to get the access token and am making requests to the app configuration API: docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value#list-key-values
// App configuration uri
resource=".azconfig.io"
// Get access token
access_token="$(curl -s -H Metadata:true \
"169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=${resource}" | \
jq -r ".access_token")"
// Get app config using access token
config="$(curl --silent --get \
--header "Authorization: Bearer ${access_token}" \
"${resource}/kv?api-version=1.0")"
Unfortunately config is always empty here. Am I missing something?
Without diving deeper, your code looks more or less OK. If you get 200 success response from the last CURL then I'd try different endpoints as per docs docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value?WT.mc_id=AZ-MVP-5003556 maybe this /kv?label=*&api-version={api-version} anyways it should work so you are very close, good luck!
@@AdamMarczakYT I got it working, thanks. Had not assigned the right access role to the system managed identity.
As always, great video Adam. Thanks for bringing such marvelous videos week after week.
My pleasure. It's hard but at the same time it's very satisfying seeing comments like this. Thanks!
Thanks Adam, great job on your videos!
Thank you Michell, I appreciate it :)
U r the man!!.. this is what i was looking for
I hope you meant "man" :D Thanks!
Great Tutorial Adam. Thanks for the videos.
Glad you like them!
Very good tutorial! Thanks alot! Do you know a way to secure the storage account automatically created when creating a function app so that it uses managed identity instead of shared access keys?
Good question Robert, unfortunately last time I checked Managed Identity is not yet supported for WebJobs storage github.com/Azure/azure-webjobs-sdk/issues/2366
@@AdamMarczakYT Thanks Adam, there are several issues with the security of the webjob storage account as it doesn't support activating the storage account firewall. The only way to secure the account is to put it in a VNET but then you loose the serverless option as you need to go with premium SKU
. Hope they will fix these issues soon.
I hope so too, I love serverless option but it does add a little complexity when it comes to security.
Great job Adam. Thanks
My pleasure!
Nailed it , awesome explanation as usual.. keep going !!!
Always! Thank you kindly :)
Thanks a lot for the videos !!!
My pleasure!
Excellent. Thanks. Bharat
Thank you! :)