Manage user-assigned managed identities using the Azure CLI

Managed identities for Azure resources eliminate the need to manage credentials in code. You can use them to get a Microsoft Entra token for your applications. The applications can use the token when accessing resources that support Microsoft Entra authentication. Azure manages the identity so you don't have to.

There are two types of managed identities: system-assigned and user-assigned. System-assigned managed identities have their lifecycle tied to the resource that created them. This identity is restricted to only one resource, and you can grant permissions to the managed identity by using Azure role-based access control (RBAC). User-assigned managed identities can be used on multiple resources.

In this article, you learn how to create, list, delete, or assign a role to a user-assigned managed identity by using the Azure CLI.

Prerequisites

• If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
• If you don't already have an Azure account, sign up for a free account before you continue.

Prepare your environment

• Use the Bash environment in Azure Cloud Shell. For more information, see Get started with Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

To modify user permissions when you use an app service principal by using the CLI, you must provide the service principal more permissions in the Azure Active Directory Graph API because portions of the CLI perform GET requests against the Graph API. Otherwise, you might end up receiving an "Insufficient privileges to complete the operation" message.

To do this step,

1. Go into the App registration in Microsoft Entra ID, select your app, select API permissions, and scroll down and select Azure Active Directory Graph.
2. Select Application permissions, and then add the appropriate permissions.

Create a user-assigned managed identity

To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

1. Use the az identity create command to create a user-assigned managed identity. The -g parameter specifies the resource group where to create the user-assigned managed identity. The -n parameter specifies its name.

2. Replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values.

   Important

   When you create user-assigned managed identities, the name must start with a letter or number, and may include a combination of alphanumeric characters, hyphens (-) and underscores (_). For the assignment to a virtual machine or virtual machine scale set to work properly, the name is limited to 24 characters. For more information, see FAQs and known issues.

   az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
   

List user-assigned managed identities

To list or read a user-assigned managed identity, your account needs the Managed Identity Operator or Managed Identity Contributor role assignment.

To list user-assigned managed identities, use the az identity list command. Replace the <RESOURCE GROUP> value with your own value.

az identity list -g <RESOURCE GROUP>

In the JSON response, user-assigned managed identities have the "Microsoft.ManagedIdentity/userAssignedIdentities" value returned for the key type.

"type": "Microsoft.ManagedIdentity/userAssignedIdentities"

Delete a user-assigned managed identity

To delete a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

To delete a user-assigned managed identity,

1. use the az identity delete command. The -n parameter specifies its name. The -g parameter specifies the resource group where the user-assigned managed identity was created.

2. Replace the <USER ASSIGNED IDENTITY NAME> and <RESOURCE GROUP> parameter values with your own values.

   az identity delete -n <USER ASSIGNED IDENTITY NAME> -g <RESOURCE GROUP>
   

   Deleting a user-assigned managed identity won't remove the reference from any resource it was assigned to. Remove those from the resource itself. For example, for a VM or virtual machine scale set, use the az vm/vmss identity remove command.

Related content

For a full list of Azure CLI identity commands, see az identity.