Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows you how to use PowerShell to give a managed identity access to an Azure resource. In this article, we use the example of an Azure virtual machine (Azure VM) managed identity accessing an Azure storage account. Once you've configured an Azure resource with a managed identity, you can then give the managed identity access to another resource, similar to any security principal.
Prerequisites
- Be sure you've enabled managed identity on an Azure resource, such as an Azure virtual machine.
- If you don't already have an Azure account, sign up for a Trial before continuing.
Use Azure RBAC to assign a managed identity access to another resource using PowerShell
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
Run scripts locally by installing the latest version of Azure PowerShell, then sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud.
Enable managed identity on an Azure resource, such as an Azure VM.
Give the Azure virtual machine (VM) access to a storage account.
- Use Get-AzVM to get the service principal for the VM named
myVM, which was created when you enabled managed identity. - Use New-AzRoleAssignment to give the VM Reader access to a storage account called
myStorageAcct:
$spID = (Get-AzVM -ResourceGroupName myRG -Name myVM).identity.principalid New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Reader" -Scope "/subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/<myStorageAcct>"- Use Get-AzVM to get the service principal for the VM named