Create a Media Services account
Warning
Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.
To start encrypting, encoding, analyzing, managing, and streaming media content in Azure, you need to create a Media Services account. The Media Services account needs to be associated with one or more storage accounts. This article describes steps for creating a new Azure Media Services account.
Note
Accounts created with the 2020-05-01 API cannot use the legacy RESTv2 API. Older API versions can be used to create accounts that can still work with the legacy RESTv2 API if needed.
They have access to new features like managed identity, encryption at rest with a customer-managed key, and enabling trusted service access from the Media Services account to attached storage accounts.
Prerequisites
If you aren't familiar with the Azure Managed Identity platform, take some time to understand the platform and the differences between identity types. A Media Services account default managed identity type is a user-managed identity.
- Read about the Microsoft identity platform.
- Read about managed identities for Azure resources.
- You might also want to take a few moments to read about applications and service principals.
Create an account
You can use either the Azure portal or the CLI to create a Media Services account. Choose the tab for the method you would like to use.
Note
When Media Services is configured to use Managed Identity to access storage, Media Services can use any storage account that the Managed Identity can access.
When using System authentication to storage, the storage account must be in the same subscription as the Media Services account. Use storage accounts in the same region as the Media Services account to avoid additional data egress costs.
For both authentication types, the principal that creates or updates the Media Services account must have the 'Microsoft.Storage/storageAccounts/listkeys/action' permission over the storage account.
Create a Media Services account with the portal
Sign in at the Azure portal.
Select +Create a resource.
In the search field, enter "Media Services" and select Enter. Search results will appear including a card for Media Services.
Select the Media Services card. The Media Services detail screen will appear.
Select Create. The Create a Media Services account screen will appear.
In the Create a Media Services account section enter required values.
Name Description Account Name Enter the name of the new Media Services account. A Media Services account name is all lowercase letters or numbers with no spaces, and is 3 to 24 characters in length. Subscription If you have more than one subscription, select one from the list of Azure subscriptions that you have access to. Resource Group Select the new or existing resource. A resource group is a collection of resources that share lifecycle, permissions, and policies. Learn more here. Location Select the geographic region that will be used to store the media and metadata records for your Media Services account. This region will be used to process and stream your media. Only the available Media Services regions appear in the drop-down list box. Storage Account Select a storage account to provide blob storage of the media content from your Media Services account. You can select an existing storage account in the same geographic region as your Media Services account, or you can create a new storage account. A new storage account is created in the same region. The rules for storage account names are the same as for Media Services accounts.
You must have one Primary storage account and you can have any number of Secondary storage accounts associated with your Media Services account. You can use the Azure portal to add secondary storage accounts. For more information, see Azure Storage accounts with Azure Media Services accounts.
The Media Services account and all associated storage accounts must be in the same Azure subscription. It is strongly recommended to use storage accounts in the same location as the Media Services account to avoid additional latency and data egress costs.Advanced settings Select a previously created user managed identity from the dropdown list or create a new user managed identity by selecting the link. Important
All new Media Services accounts require a user-managed identity. Previously created accounts that have a system-managed identity have not changed.
Select the checkbox next to "I have all the rights to use the content/file, and agree that it will be handled per the Online Services Terms and the Microsoft Privacy Statement." to confirm and continue.
Click Review + create or add tags with the Next:Tags button.
Click Create on the following screen. Deployment will begin.
Enable a Media Services system-assigned managed identity with the portal
When a Media Services account is created, a user-managed identity is either selected or created. If you need to create a system-managed identity, take the following steps after you've created a Media Services account:
- In the Azure portal, select the Media Services account to which you want to add a system-managed identity from the list of resources on your portal home screen. The account screen will appear.
- From the left navigation menu, select Identity. The Identity screen for the account will appear.
- Select the System-assigned tab.
- Select the Yes radio button to enable the system-assigned identity.
- Select Save.
Use a system-managed identity with a Media Services storage account in the portal
After you've created a Media Services account with an associated storage account, you can assign a system-managed identity to it.
- Navigate to the Media Services account in the Azure portal.
- Select Storage from the left navigation menu. The managed-identity radio button should already be selected.
- Select System-assigned from the managed-identity dropdown list of the storage account.
- Select Save.
Use either a user-managed identity or a system-managed identity for account encryption in the portal
You can assign either a user-managed identity or a system-managed identity for account encryption.
- Navigate to the Media Services account in the Azure portal.
- Select Encryption from the left navigation menu. The Microsoft-managed keys radio button should already be selected.
- Select the Customer-managed keys radio button. The Managed-identity dropdown list will appear.
- Select either the user-managed identity that you want to use or select System-assigned from the dropdown list. The Encryption key radio buttons will appear.
- Continue the setup for Key Vault and key.
- Select Save.