One of the challenges, when you build applications for the cloud, is how to manage the credentials in code for authentication. Keeping those credentials secure is key, so ideally these credentials will never appear on developer workstations and aren't checked into source control as well. You can use Azure Key Vault for securely storing credentials, keys, and secrets, but the application still needs to authenticate to Key Vault to retrieve them.

Managed identities solves this problem. It is a feature of Azure AD, which provides Azure services with an automatically managed identity in Azure AD. You can then use this identity to authenticate to every server that supports Azure AD authentication, including Key Vault, without any credentials in your code.

When you enable managed identities on your Azure resource, such as a virtual machine, Azure Function, or app, Azure will create a service principal and store the credentials of that service principal on the Azure resource itself. When it is time to authenticate, a Managed Service Identity (MSI) endpoint is called, passing your current Azure AD credentials and a reference to the specific resource.

Managed identities then retrieves the stored credentials from the Azure resource, passes it to Azure AD, and retrieves an access token that can be used to authenticate to the Azure resource or service.

You should note that the service principal is only known inside the boundaries of the specific Azure resource where it is stored. If it needs permissions for other resources as well, you should assign the appropriate role using role-based access control (RBAC) in Azure AD.

There are two types of managed identities:

• System-assigned managed identity: This identity is enabled directly on an Azure service instance. It is directly tied to the Azure service where it is created. It cannot be reused for other services. When the Azure service is deleted, the managed identity is deleted as well.
• User-assigned managed identity: This identity is created as a standalone Azure resource. After the identity is created, it can be assigned to one or more Azure service instances. Deleting the Azure service will not delete the managed identity.

In the next section, we are going to look at how to enable managed identities for a web app.