Azure AD Managed Service Identity Helps Coders Protect Credentials

Developers can now get access to Azure cloud services without placing credential information into their code.

Azure Cloud Credentials

Microsoft wants to make the practice of including cloud credentials as part of an application's code a thing of the past with its new Azure Active Directory (AD) Managed Service Identity (MSI) offering.

Applications often need to authenticate to cloud services, but managing and securing those credentials can be challenge while they wend their way across a software development environment. Organizations that strictly control access to their IT resources may not want their cloud credentials getting checked into a source control management solution or lingering on a developer workstation, explained Stuart Kwan, principal program manager of Azure Active Directory at Microsoft, in a blog post.

To help plug this security hole, Microsoft has released a preview of its new Azure AD Managed Service Identity offering.

"When you enable MSI for an Azure service such as Virtual Machines, App Service, or Functions, Azure creates a Service Principal for the instance of the service in Azure AD, and injects the credentials (client ID and certificate) for the Service Principal into the instance of the service," explained Kwan.

A developer's code can then request an access token from a local MSI endpoint, after which the service "uses the locally injected credentials to get an access token from Azure AD," continued Kwan. Finally, the application code can use the access token produced during this process for authenticated access to an Azure service without developers or their code being exposed to the credentials.

Currently, the Azure AD Managed Service Identity preview is available for both the Linux and Windows flavors of Azure Virtual machines, as well as the company's app hosting system, Azure App Service and its serverless compute service, Azure Functions. And the service won't cost customers extra, added Kwan. Azure AD Managed Service Identity is part of Azure AD Free, which is included with every Azure subscription, he said.

Meanwhile, Azure AD users will want to familiarize themselves with the new Admin Center before the classic management experience is retired this fall.

In May, Microsoft announced the general availability of the new Azure AD Admin Center, a replacement for the Azure AD tools found in the classic Azure portal, but maintained the old tools while administrators made the transition. According to Microsoft, more than 800,000 users have already made the jump.

Now, the clock is ticking for the remaining holdouts.

Microsoft is pulling the plug on the legacy Azure AD administration experience within the Azure portal on Nov. 30, said Alex Simons, director of program management at Microsoft's Identity Division, in a Sept. 18 announcement. The few remaining tasks that have yet to make the transition to Azure AD Admin Center will be ported over well ahead of the deadline, he stated.

"Now, the Azure AD admin center is where you can go to find admin experiences for the latest and greatest Azure AD capabilities. By focusing on the Azure AD admin center, we can make our admin experiences more consistent, and easier to use. And we can deliver them faster," stated Simons.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...