Azure Managed Identities and Service Principals and talked about regularly, in this blog I will go into briefly which each is and the main difference between a managed identity and service principal.
Keeping credentials safe and secure has always been a priority, even more so when in the cloud – quite a potential challenge this can be within your application, virtual machine or requirements to authenticate to additional cloud services.
What is an Azure Service Principal?
Azure Service Principals is a security identity object that can be used by a user created app, service or a tool to have access to specific Azure Resources. Service Principals stop you from creating a “fake” user in your Azure Active Directory to access a specific service. Instead, you would wanting to be creating a service principal.
The service principals access can be restricted by assigning Azure roles so that they can access the specific set of resources only.
Note:- Azure Service principals password/certificate expire after 1-2 years, when you create a service principal it defaults to 1 year, you can look at increasing this expiry date to 2 years.
What are Azure Managed Identities?
Very similar to Azure Service Principals, they are spoken about a lot because they really are the preferred approach to manage the “security identity” mentioned above, they remove any need for you to create and manage a service principal. When you configure a managed identity; this is created automatically for you!
There are two types of managed identities, system-assigned managed identity & user-assigned managed identity
System-assigned managed identity – This identity is enabled on the Azure service, giving the actual service an identity within Azure AD.
Note:- This service identity within Azure AD is only active until the instance has been deleted or disabled. Once this happens, Azure will automatically clean up the service identity within Azure AD.
User-assigned managed identity – A standalone resource, creates an identity within Azure AD that can be assigned to one or more Azure service instances.
Note:-Cleaning up of this identity is not completed automatically and requires user input to cleanup
Read further about Azure Managed Identities in my blog post here
A blog post I created “Securing your secrets using Azure Key Vault and Virtual Machine Managed Identity” to show an example of using an Azure Managed Identity
The difference between Azure Service Principal & Azure Managed Identities?
The biggest difference between both is that Azure Managed identities manage the initial creation of the service principal and automatic renewal of the service principal without any additional workload required – they are great and highly recommended to be used!