Azure managed identity accessing from different account

Question

I have created an user-assigned identity using account [email protected] and copied the clientid. After this I have assigned a role to this identity on a particular storage account. Also I have added this user-assigned identity to an azure function. Now I trying to execute some code through visual studio and my login account is [email protected]. I have below piece of code

    string userAssignedClientId = "<your managed identity client Id>";                    
    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {ManagedIdentityClientId = userAssignedClientId });                                       
    var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"), credential); 

Now my question is how DefaultAzureCredential will do authentication? Will it allow user with account [email protected] to use clientid created using account [email protected]

Answer 1

Thanks @ Tiny Wang for the comment.

Azure managed identity accessing from different account

We have to use the same Azure Account which you have created the Managed identity. If Managed Identity is Enabled , and you are using DefaultAzureCredential, then the application will look for the Azure credentials which are used for creating the Managed Identity.

What is "that account" here ?

As mentioned by Tiny Wang Here that account is referred as the Azure Account in which you have created the Managed Identity.

• When the Application is running locally, it uses the VisualStudio,VSCode, Azure CLI or Powershell Authentication.

• When the Application is deployed it uses the Managed Identity Authentication.

As mentioned in the MSDoc, DefaultAzureCredential will follow the order of Authentication.

If any of the Authentication is completed and satisfied, it stops the how DefaultAzureCredential will do authentication?process.

Check the below workaround how ManagedIdentityCredential works in your scenario.

• I have created a Managed Identity with one Azure account.

• And in Visual Studio I have logged in with different Azure Account.

When I tried to run with your code, I didn't get any error.

From this I understood that as we have mentioned Managed Identity,the authentication is taking Azure Credentials of the created Managed Identity account irrespective of the Visual Studio Account.

But it may impact the access level of Azure resources. So, it is better to go with the same account.