Can an System assigned managed service identity be added to an AAD group?

Asked 29/10, 2018 at 19:2 Answered 24/7, 2021 at 18:14

Solved azure-data-lake azure-data-factory azure-managed-identity

I have an Azure Data Factory V2 service running with an MSI identity. This service needs to access a Data Lake Gen 1 with thousands of folders and millions of files.

For efficiency, we have a group assigned to the root of the data lake which has RX permissions and these are inherited and defaulted throughout the tree.

I'd like to add the above ADF MSI to this group and I cannot figure out how to via the portal AAD blade.

I can assign this MSI to the datalake directly but it then has to update millions of files which is slow and error prone (the blade needs to be kept open while the permissions are applied and this often fails over the hours it takes due to a network glitch).

Mark.

Underage answered 29/10, 2018 at 19:2 Comment(0)

Yes. You can add a system assigned managed identity to an Azure AD group. See this link, for how it can be achieved via PowerShell: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql#create-a-group-in-azure-ad-and-make-the-vms-system-assigned-managed-identity-a-member-of-the-group

Gros answered 29/10, 2018 at 23:18 Comment(5)

Thank you! Buried in that doc relating to SQL and VMs - the answer is this can be done in powershell - not the portal. I asked the doc team to see if they would surface this in a more visible way (like a general How-To article). I created a generalized script to add a MSI service principal to an AAD group. – Underage 30/10, 2018 at 1:28

Thanks for the feedback. We will look into adding a how-to for this. – Gros 30/10, 2018 at 16:42

How about if i want my managed identity to use sharepoint api, how do i add the managed identity to the member group? – Economy 11/9, 2019 at 8:45

The documentation this refers to has been changed and no longer talks about assigning members to groups. – Buffington 12/3, 2020 at 16:50

@TomW - here is the change - github.com/MicrosoftDocs/azure-docs/commit/… – Kerge 23/9, 2020 at 12:45

This is also possible using the Azure CLI now:

az ad group member add --group <Group Object ID or Name> --member-id <Object ID of your managed identity>

Myrtice answered 24/7, 2021 at 18:14 Comment(0)

Recommended topics

Hot tags