Setting Up Managed Identities for Azure Resources

Managed identities is a more secure authentication method for Azure cloud services that allows only authorized managed-identity-enabled virtual machines to access your Azure subscription. Also, to configure backups for Azure VMs, you need only the Subscription ID, not the Tenant ID, the Application ID, or the Application Password.

Note

You can convert Azure hypervisors that were created using the traditional method to managed-identity-enabled hypervisors.

Before You Begin

Verify that your environment meets the following requirements:

  • User: You must have Service Administrator role privileges.

  • Permissions: To back up Azure VMs that have been encrypted using Azure Key Vault, your Azure account must have permissions as described in Adding Permissions to Back Up Azure VMs Encrypted with Azure Key Vault.

  • Hardware: The access nodes that you want to enable managed identities for must be virtual machines in the Azure cloud. You can associate these virtual machines with different subscriptions. However, you (as the Admin) must have access to all the subscriptions for these access nodes.

  • Operating system: You can use Windows and Linux machines as access nodes.

Collect the following information for your Azure account:

  • The Subscription ID

  • User credentials that have Service Administrator capabilities

Procedure

  1. Log on to the Azure portal (http://portal.azure.com).

  2. In the left navigation pane, click Virtual machines.

  3. From the list of virtual machines, search for the VM that has the virtual server agent (VSA) installed.

  4. When you find the VM that you want to enable with a managed identity, record the Subscription and Resource Group values.

  5. Click the VM name.

    The Virtual machine blade appears.

  6. Click the Identity tab.

    The Identity pane appears with the System assigned tab active.

  7. To register the VM with Azure Active Directory, which enables managed identity authentication for the VM, click On, and then click Save.

  8. To enable managed identity for additional virtual machines, repeat steps 2-7 .

  9. In the left navigation pane, click Subscriptions.

  10. For each subscription, from the list of subscriptions, click the subscription for the managed identity-enabled virtual machines.

    The Subscriptions blade appears.

  11. On the Access control (IAM) tab, click Add, and then select Add role assignment.

    The Add role assignment pane appears.

  12. On the Role tab, complete the following:

  13. On the Members tab, complete the following:

    1. For Assign access to, select Managed Identity.

    2. Click Select members.

    3. In the Select managed identities pane, enter the following information:

      • Subscription: Select the subscription for the managed identity-enabled virtual machines.

      • Managed identity: Select Virtual machine from the drop down list.

      • Select: Select the managed identity-enabled virtual machines that you want to assign the specified role.

  14. On the Review + assign tab, verify that all the managed identity-enabled virtual machines are selected members of the subscription.

  15. Click Save.

  16. If you are configuring a Linux proxy, you must add another role assignment, and select Storage Blob Data Contributor as the role.

Loading...