Setting up Managed Identity

Get an overview of Managed Services Identities (MSI) and learn how to set them up.

Managed Services Identities (MSI)

Managed Services Identities (MSI) is a service that allows your applications or functions to get access to other Azure resources. MSI is based on Principal Accounts and OAuth2. In our case, we need access to the storage queue from the Function app.

When MSI is enabled for your resource, Azure will create a Service Principal in the Active Directory associated with this resource. However, this principal account will not have its permission set, so we will need to assign the permission explicitly. This will be the last step of the pipeline.

When the Principal is created and the required permission is assigned, MSI will work based on the OAuth2 token-based algorithm. Before accessing the storage queue, the Function app service principal sends its credentials to receive a JWT token from the AADAzure Active Directory. The function then sends this token to the storage queue. The storage queue sends this token to the ADD for validation before providing access to the function. The whole process can be visualized as such:

Get hands-on with 1200+ tech skills courses.