- We have several apps which are built using .NET are running in VMS(on-prem)
- All apps will be registered to Azure AD.
- Can we use user managed identity to access key vault form these on-prem apps
Thanks in advance
Azure Managed IDentity - On Prem Applications
Asked Answered
Please provide enough code so others can better understand or reproduce the problem. –
Cane
No, you cannot use a Managed Identity from on-prem apps.
[...] a managed identity is a service principal of a special type that may only be used with Azure resources.
To see a list of resources currently supported, see Services that support managed identities for Azure resources.
You can, however, use a Service Principal to connect to Key Vault from an application running on-premises.
To do so, Use the portal to create an Azure AD application and service principal that can access resources.
For Service Principals, authentication can be done in two different ways: password-based authentication (application secret) and certificate-based authentication. Using a certificate is recommended, but you can also create an application secret.
To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
If you cannot use managed identity, you instead register the application with your Azure AD tenant, as described on Quickstart: Register an application with the Azure identity platform. Registration also creates a second application object that identifies the app across all tenants.
Rick : Thanks for the response learn.microsoft.com/en-us/azure/active-directory/… says You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications. –
Crossbench
That's correct. This means you can use managed identity to have your Azure hosted application connect to Azure storage or to access your API, as long as it runs on Azure. –
Unmoved
Azure Arc extends Azure’s management capabilities to resources outside of Azure. This includes servers, Kubernetes clusters, Azure data services, SQL Server instances, and virtual machines hosted in other environments. This allows for a more unified and simplified management experience across your entire infrastructure. It’s a powerful tool for businesses that operate across multiple environments and need a consistent way to manage and govern their resources.
Azure Arc extends Azure management to non-Azure environments. It handles servers, Kubernetes clusters, Azure data services, SQL Server instances, and VMs outside Azure, providing a unified management experience.
Applications or processes running directly on an Azure Arc-enabled servers can use managed identities to access other Azure resources that support Microsoft Entra ID-based authentication. An application can obtain an access token representing its identity, which is system-assigned for Azure Arc-enabled servers, and use it as a 'bearer' token to authenticate itself to another service.
Behind the scene, it is all using Azure Connected Machine agent The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
© 2022 - 2025 — McMap. All rights reserved.