You can enable MSI for your Azure resources in the Azure portal, PowerShell, or the CLI and by using ARM templates. In this demonstration, we are going to enable this in the Azure portal for the Azure web app that we created earlier in this chapter:

1. Navigate to the Azure portal by opening https://portal.azure.com.
2. Go to PacktWebApp that we created earlier.
3. From the overview blade of the web app, in the left menu under Settings, click Identity. 
4. In the next blade, you can create a system-assigned or user-assigned managed identity. We are going to create a System assigned identity for this demo. Change the status to On and click Save:

5. When the managed identity is created, we can assign permissions to it to access the Key Vault. Therefore, we first need to create the Key Vault. We will add the Key Vault to the same resource group that the web app is in. We will do this using the Azure CLI. Open Cloud Shell and add the following line of code:

az keyvault create --name WebAppEncryptionVault -g "PacktAppServicePlan"

6. Once the Key Vault is created, navigate to it in the Azure portal. In the left menu, click Access control (IAM). Then click Add a role assignment:

7. Then add the following values:
   • Role: Key Vault Contributor.
   • Assign access to: Under System assigned managed identity, select App Service.
   • Subscription: Pick the subscription in which the web app was created.
8. Then, you can select the managed identity that we created for the web app:

9. Select the managed identity and click Save.
10. The managed identity now has access to the Key Vault.

From your custom code, you can call the MSI endpoint to get an access token to authenticate the Azure resource as well. For .NET applications, you can use the Microsoft.Azure.Services.AppAuthentication library to accomplish this. You
can do this by calling the RESTful API as well, but then you have to create the request manually.