How to use managed identities for Azure App Configuration
This article shows you how to create a managed identity for Azure App Configuration. A managed identity from Microsoft Entra ID allows Azure App Configuration to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform. It doesn't require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.
Your application can be granted two types of identities:
- A system-assigned identity is tied to your configuration store. It's deleted if your configuration store is deleted. A configuration store can only have one system-assigned identity.
- A user-assigned identity is a standalone Azure resource that can be assigned to your configuration store. A configuration store can have multiple user-assigned identities.
Adding a system-assigned identity
Creating an App Configuration store with a system-assigned identity requires an additional property to be set on the store.
Using the Azure CLI
To set up a managed identity using the Azure CLI, use the [az appconfig identity assign] command against an existing configuration store. You have three options for running the examples in this section:
- Install the latest version of Azure CLI (2.1 or later) if you prefer to use a local CLI console.
The following steps walk you through creating an App Configuration store and assigning it an identity using the CLI:
If you're using the Azure CLI in a local console, first sign in to Azure using [az login]. Use an account that is associated with your Azure subscription:
az cloud set -n AzureChinaCloud az login # az cloud set -n AzureCloud //means return to Public Azure.
Create an App Configuration store using the CLI. For more examples of how to use the CLI with Azure App Configuration, see App Configuration CLI samples:
az group create --name myResourceGroup --location chinaeast az appconfig create --name myTestAppConfigStore --location chinaeast --resource-group myResourceGroup --sku Free
Run the [az appconfig identity assign] command to create the system-assigned identity for this configuration store:
az appconfig identity assign --name myTestAppConfigStore --resource-group myResourceGroup
Adding a user-assigned identity
Creating an App Configuration store with a user-assigned identity requires that you create the identity and then assign its resource identifier to your store.
Note
You can add up to 10 user-assigned managed identities to an App Configuration store.
Using the Azure CLI
To set up a managed identity using the Azure CLI, use the [az appconfig identity assign] command against an existing configuration store. You have three options for running the examples in this section:
- Install the latest version of Azure CLI (2.0.31 or later) if you prefer to use a local CLI console.
The following steps walk you through creating a user-assigned identity and an App Configuration store, then assigning the identity to the store using the CLI:
If you're using the Azure CLI in a local console, first sign in to Azure using [az login]. Use an account that is associated with your Azure subscription:
az cloud set -n AzureChinaCloud az login # az cloud set -n AzureCloud //means return to Public Azure.
Create an App Configuration store using the CLI. For more examples of how to use the CLI with Azure App Configuration, see App Configuration CLI samples:
az group create --name myResourceGroup --location chinaeast az appconfig create --name myTestAppConfigStore --location chinaeast --resource-group myResourceGroup --sku Free
Create a user-assigned identity called
myUserAssignedIdentity
using the CLI.az identity create --resource-group myResourceGroup --name myUserAssignedIdentity
In the output of this command, note the value of the
id
property.Run the [az appconfig identity assign] command to assign the new user-assigned identity to this configuration store. Use the value of the
id
property that you noted in the previous step.az appconfig identity assign --name myTestAppConfigStore --resource-group myResourceGroup --identities /subscriptions/[subscription id]/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity
Removing an identity
A system-assigned identity can be removed by disabling the feature by using the az appconfig identity remove command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the app resource is deleted.