Managed Identities in Azure: authentication without passwords or secrets

One of the most common anti-patterns in the cloud is storing passwords and connection strings in configuration files or environment variables. Managed Identities eliminate this problem — Azure automatically manages the credentials, and the application authenticates through Azure AD without ever seeing a password.

Types of Managed Identity

• System-assigned — created and managed by the resource lifecycle (VM, App Service, ADF). When the resource is deleted, the identity is too.
• User-assigned — an independent identity that can be assigned to multiple resources. Useful for sharing permissions across several services.

Enable on a VM

az vm identity assign \
  --name vm-analytics \
  --resource-group rg-analytics \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/.../storageAccounts/stadatalake

Use in Python code

from azure.identity import ManagedIdentityCredential
from azure.storage.blob import BlobServiceClient

credential = ManagedIdentityCredential()
client = BlobServiceClient(
    account_url="https://stadatalake.blob.core.windows.net",
    credential=credential
)
# No passwords, no connection strings

Use in Azure Data Factory

In ADF, Linked Services support authentication via Managed Identity natively. In SQL Server, add the identity as a user:

-- Grant ADF access in Azure SQL
CREATE USER [adf-bconcepts] FROM EXTERNAL PROVIDER
EXEC sp_addrolemember 'db_datareader', 'adf-bconcepts'

Conclusion

Managed Identities are the most secure and simplest way to authenticate Azure services to each other. They remove the risk of credentials exposed in code, simplify secret rotation and reduce the attack surface. Adopt them as the standard in all new Azure projects.