Use a Windows VM system-assigned managed identity to access Resource Manager

Managed identities for Azure resources is a feature of Microsoft Entra ID. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.

This tutorial shows you how to access the Azure Resource Manager API using a Windows virtual machine with system-assigned managed identity enabled. Managed identities for Azure resources are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication without needing to insert credentials into your code. You learn how to:

  • Grant your VM access to a Resource Group in Azure Resource Manager
  • Get an access token using the VM identity and use it to call Azure Resource Manager

Prerequisites

Enable

Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.

Screenshot shows the System assigned tab for a virtual machine where you can turn on the System assigned status.

To enable a system-assigned managed identity on a new VM:

  1. Sign in to the Azure portal

  2. Create a virtual machine with system-assigned identity enabled

Grant your VM access to a resource group in Resource Manager

Tip

Steps in this article might vary slightly based on the portal you start from.

Using managed identities for Azure resources, your application can get access tokens to authenticate to resources that support Microsoft Entra authentication. The Azure Resource Manager API supports Microsoft Entra authentication. We grant this VM's identity access to a resource in Azure Resource Manager, in this case a Resource Group. We assign the Reader role to the managed-identity at the scope of the resource group.

  1. Sign in to the Azure portal with your administrator account.
  2. Navigate to the tab for Resource Groups.
  3. Select the Resource Group you want to grant the VM's managed identity access.
  4. In the left panel, select Access control (IAM).
  5. Select Add, and then select Add role assignment.
  6. In the Role tab, select Reader. This role allows view all resources, but doesn't allow you to make any changes.
  7. In the Members tab, for the Assign access to, select Managed identity. Then, select + Select members.
  8. Ensure the proper subscription is listed in the Subscription dropdown. And for Resource Group, select All resource groups.
  9. For the Manage identity dropdown, select Virtual Machine.
  10. Finally, in Select choose your Windows Virtual Machine in the dropdown and select Save.

Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager

You'll need to use PowerShell in this portion. If you don’t have PowerShell installed, download it here.

  1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, select Connect.

  2. Enter in your Username and Password for which you added when you created the Windows VM.

  3. Now that you've created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.

  4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager.

       $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}
    

    Note

    The value of the "resource" parameter must be an exact match for what is expected by Microsoft Entra ID. When using the Azure Resource Manager resource ID, you must include the trailing slash on the URI.

    Next, extract the full response, which is stored as a JavaScript Object Notation (JSON) formatted string in the $response object.

    $content = $response.Content | ConvertFrom-Json
    

    Next, extract the access token from the response.

    $ArmToken = $content.access_token
    

    Finally, call Azure Resource Manager using the access token. In this example, we're also using the Invoke-WebRequest cmdlet to make the call to Azure Resource Manager, and include the access token in the Authorization header.

    (Invoke-WebRequest -Uri https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $ArmToken"}).content
    

    Note

    The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase "G" in "resourceGroups."

    The following command returns the details of the Resource Group:

    {"id":"/subscriptions/98f51385-2edc-4b79-bed9-7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"westus","properties":{"provisioningState":"Succeeded"}}
    

Next steps

In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. To learn more about Azure Resource Manager see: