>> Hi, I'm Donovan with
another episode of Azure Friday.
I'm here with Arturo, and
we're going to learn about
Azure AD Managed Service
Identity. Welcome to the show.
>> Thank you Donovan.
>> So, what do you do
here at Microsoft?
>> I'm a Program Manager
and Azure Active Directory.
>> Okay.
>> I focus mainly on
an offering of Azure AD,
which is called Azure AD
Managed Service Identity.
>> Managed Service Identity,
that's a mouthful.
>> That is correct.
>> Why do I even care?
>> Azure AD MSI or
Managed Service Identity allows
Azure developers to be able to
run workloads without needing
credentials and
embedded in their code.
>> Okay. So, this is going
to help me get rid of
that nightmare I have with
service principles,
expiration dates,
and other way use
the information,
storing it in
environment variables,
or web config files,
and how to transfer most of
it. All that goes away now.
>> That is correct, and this
is for workloads that are
running in the say
VMs, VM skill sets,
app services functions where
you need to put some sort
of a credential
there to be able to
access Key Vault or SQL.
>> Okay.
>> Now you as as part of doing
your code going forward.
You're always having to remember,
I need to go back and rotate
those credentials, I
need to clean them up,
or in some cases
if you're going to
push that code into
some source code,
you need to go and remove
those credentials so
that they don't get out
there in the world.
>> Sure. I'm going to be able to,
I'm an app running on a VM who
needs access to Key Vault.
Instead of me having to
put in my web.config,
environment variables, the
service principle AD, and key.
I would then use MSI instead.
I think the beautiful part
there is that if
that extension that
service principle expires,
I don't have to
redeploy my code away,
but I would just simply use
the exact same MSI that
I've always been using,
and then all that magic
happens in the back
and then make sure
that it can still
have access to everything.
>> That is correct.
So, that's one
of the big advantages of using
MSI is that before,
you had to worry about
those expirations and all that.
That's not part of our job.
>> Okay.
>> What we will do
in the background,
is make sure that
whenever it's expiring,
whenever we need to go
and rotate credentials to
make sure that everything
is clean and safe,
we will go ahead and do that.
For you as a developer,
nothing changes.
You're basically calling
the same endpoint and saying,
"You told me that I
can get a token here,
I want to continue to get a token
and there's nothing
that needs to change."
>> Okay. You mentioned
the endpoint,
I want you to show me how this
works so I can see
this endpoint clear.
>> So, let's get this up,
you'll be able to see
here in the Azure world.
The first thing I'm
going to do is,
I want to note that MSI works
just by default in
most resources.
In this case were going to
be talking about VMs today.
There's more other things
like app services like
I mentioned before,
are functions that also
have support for MSI.
>> Okay.
>> So, what I going to do is,
I'm going to go ahead and
kick off a creation of
a VM that will later
enable MSI on it.
So, there is nothing
special we need to do.
I'm going to call it
Azure Friday, given that case,
session, and I'm like,
"Go ahead and give
it my username,"
I'm going to go use
a password from now.
>> Okay.
>> Then, I'm going
to use an existing few different
resource groups,
and I'm going to pick,
let's just do, and I had it go,
I'm going to default.
Nothing special, we'll come back
and change the settings later.
>> Okay. So all we're doing
here is creating a plan VM.
It could be Windows,
it could be Linux, it
could be whatever.
>> That is correct. It
could be Windows or Linux.
It can be you
whatever configuration you
want in, whatever
region you want.
>> Okay, perfect.
>> We are going to kick it off,
and we're going to create.
While that is happening,
let me switch over
really quick to
the kind of commands that
we're going to be using today.
I didn't want to be messing
up these commands so,
I thought I put them out there.
>> Smart move.
>> We can can talk about them.
So, at the top I basically
outlined what we're going to do.
We are already past
that number one,
so we're already well ahead.
For the rest of the demo,
there's three main things
we're going to do.
One is I'm going to show
you how to enable to MSI,
so that we can see that
MSI is just a click of
a button, super simple.
The second thing
is we're going to
actually give it
access to something.
When you enable MSI for resource,
it has access to nothing.
>> Got It.
>> You have no privilege,
no permission.
So, we need to go as
a developer, as an admin.
Explicitly give it
access to do something.
>> Perfect.
>> Today we're going to be
using Azure resource manager.
>> Okay.
>> Then, the last
thing is once we
have those two things set up,
we can actually jump
into an SSH session on
the VM and go in and call
ARM and see what comes back.
>> Perfect, good stuff.
>> So, in order to
allow for this VM
to finish actually,
pre-provision of VM.
>> Perfect.
>> This one is again
just of a note VM,
we're going to go
under Configuration.
So, today you're going to
find MSI as a configuration.
>> Okay.
>> So, you can
basically go and just
click this "Yes", you're
going to click "Save".
>> All right.
>> That's going to kick off
the process to enable us.
>> So, it's going to enable it,
is this also creating like
an identity or what it's
actually doing that is
creating this today.
>> That is correct.
There's a few different steps
that happen in the background.
One is when you're enabling MSI,
ARM, Azure Resource Manager
is the orchestrator.
So, what that does is it
calls Azure AD and says,
well it actually calls MSI as
a service and then MSI will
call Azure AD and say,"Hey,
in the background,
I actually need you
to go to a provision
of service principle."
>> Got it.
>> "Please go create that,
and tell me which one is."
>> Okay.
>> Then, what we
do at MSI we marry
that service principle with
information about the MSI.
>> Okay, and this
is per resource,
so even if I have
a resource group
that might have four VMs in it,
and I wanted to enable MSI,
I don't do it at the
resource group level,
I do that at the resource level.
>> That is correct.
>> So, I'd have to turn it on
like four times for example.
>> That's correct. So today,
there's the ability for you to
go and enable it by resource.
So, you would say,
"Please give this resource
an identity."
The benefit of this is
that when you enable it,
that MSI is tied to
the lifecycle of that resource.
>> Got it.
>> Let's say, tomorrow you
come in and you say,
"You know what?
I want to get rid of this VM,
you go delete the VM.
We'll take care of
it everything."
>> We'll clean up
in the background.
>> We'll take care of
the cleanup. Now, there
is an upcoming feature that
is going to be released,
which is called Azure AD
Managed Service Identity
User Assigned Identities.
>> Okay. If you play it longer,
it will get easier
for us to remember.
>> Yes, we will try it next time.
User assigned identities are
a variation of MSI where now,
it's a standalone resource.
So, instead of making it
where you go to
the resource and you say,
"Please enable it," now you're
going to go to
the resource and say,
"Here's the MSI I
want you to use."
>>Perfect.
>> So, if I go and today
delete this resource,
and tomorrow I need
to create a new VM,
I can now just point it to that.
>> Or I could deploy the same
app on four different VMs
and they all have
access because they all
have the exact same MSI.
>> That is correct.
>> Got it.
>> So, MSI has now been enabled,
and so what we're
going to do is and
as you can see it's still
deploying that other VM.
>> Sure.
>> I'm going to go
ahead and we're
going to jump back
here really quick.
So, the next step is, I'm
actually going to skip
step number two and this list
now that I've modified it,
which is the granting
of permissions.
I'm going to go
ahead and try using
MSI as it is right now,
let's see what happens.
So, now what we're
going to do is,
I'm going to show you what
it looks like to use it,
and for that I'm
going to go ahead and
use the Cloud shell here.
First, I'm going to
go in here and pick
out the information about the
VM we need to connect to.
>> Okay.
>> I'm just going to do a good
old SSH session using
the cloud show.
>> Okay.
>> So, we're going to go
ahead and paste that in,
and it will ask me
for my password.
Let's see if I remember,
and we are in.
So, we're in. I'm going to go
ahead maximize this
because again,
we're now in that VM.
Imagine that, this is
your code running in the VM.
This is what your code
would be doing.
>> Okay.
>> The first thing
we need to do is
let's go ahead and try
to ask for a token,
and I will show you that when
we go ahead and do this.
Let's talk a little bit about
what this call contains.
So, the first piece of it is
this HTTP 169.254.169.254.
That is the address for
the Azure Instance
Metadata Service.
>> Okay.
>> Every Azure VM that
is running or basically,
any Azure VM has access to
the Instance Metadata
Service which is
hosted on its host.
>> Okay.
>> The instance metadata
or IMDS as we call it
has a few different
endpoints that you
can plug into that you can use,
and one of which is identity.
>> Okay.
>> With that enable
us to do is that
plugin is the one that actually
runs all those background tasks.
Where and when we need
to go rotate things,
where we need to go
ask for credentials,
that all is handle at that level.
So, in fact the whatever
the service principle
is in the credential,
never even makes it to the VM.
>> Got it.
>> Now, it's completely
abstracted away.
All you do is you're
calling an endpoint
and you are saying,
"Please give me a token."
>> Got It. That token
I can then use in
subsequent calls to get
access to whatever
resource I want.
>> Exactly, as long as
the token is still valid.
>> Sure, you then refresh it just
like you do with any other token.
>> Exactly, absolutely.
>> So, what you're going to find
here as well is that there's
an extra parameter that
is called resource.
This is what we're
going to be asking for.
We're going to say,
"Please give me a token,
so that I can go talk to
management.Azure.com," which
is the URL for talking to our.
>> Got it.
So, if I wanted to do
something like Key Vault,
the last part for the resource
would be different.
>> Exactly, so you would be vault
and then, the rest of the URL.
>> Okay.
>> The other thing to call out is
that what we're doing here
is really allowing to
make a call to Azure AD.
At the end of the day
these are Azure AD tokens.
They're going through
the IMDS host,
and then going over to Azure AD,
and so there's nothing
special about the token
that is coming back.
>> Okay.
>> It's just a good token.
So, call completed.
Now, let's go ahead and parse it.
In fact, let me go ahead and
show you how we do echo,
we're going to echo our response.
We're going to see here is,
there's the access token,
it's the entire body of it.
>>Okay.
>> Not only do you
have the access token,
but you have all that
good information
about when does it expire,
before, after and what's
the resource that's for?
>> Okay.
>> But, in order to
use it in our call,
we actually need to
go ahead and parse
just the value of
the access token.
That's what I'm going
to be doing here.
So, we're going to go
ahead and do that.
So, even though we haven't
used RBAC to give it
permissions to anything,
you still get a token back?
>> That is correct.
>> So that's never going
to give you a 404.
It's just that token has
no provisions to do it.
>> That's correct.
>> Got it.
>> It's basically saying
he won a token for that?
Sure. Now, we try to
actually authorize that,
because there's
other checks in place.
>> So, this is basically
just the authentication.
I know who you are,
and here's your token.
>> That's correct.
>> Got it. Now we're going to do
the authorization, which
is completely different.
>> Yes.
>> A lot of people forget.
>> Right on point. So, we
went ahead and got that.
Now what I want to go and
do is I'm going to
construct the URL,
and this URL is basically
what we're going to do,
and this would be
what your code is.
>> OKay.
>> Really trying to achieve.
>> Got it.
>> In this case, what I'm
trying to achieve is go and
talk to ARM and read information
about resource group.
>> Okay.
>> And that's it. We're not going
to do anything else
special today.
So, I may go ahead and copy that.
Let me go construct that
URL and once it's ready.
Right now we have
a URL that is ready,
we have a token.
We're ready to go.
>> Sure.
>> We're going to
make the actual call
which is just the cURL call.
Now, what I'll call out is
that while we're using
cURL right here,
we do have support for
you to go and use an SDK.
We have support through
all the Azure SDKs to
go ahead and use that.
Then there's of course
ways for you to go use it
doing HTP and all the good stuff.
So, we're going ahead
and do that call.
Now, if you see,
it just returned,
and it said that's great.
You don't have permissions.
>> Authorization failed.
>> So, sorry but not sorry.
>> Sure. Exactly. So, what we're
going to go is we've
done all this,
and as I mentioned earlier, we
skipped basically
step number two here.
>> Correct. To prove that I
can get a token but that
token doesn't have
any permission.
>> Now, we're going to go
grant it permissions and
next time we do this call
it won't be an
authorization failed.
>> That's the goal.
>> Got it.
>> So, we're going
to go over here,
and let's jump into
Resource Groups.
I'm going to pick my
marketing prod resource group,
and if we go under
Access control,
I'm going to go ahead and add.
This is the very
standard Azure RBAC.
There's only a subtle difference
and you're going to
see that in a second.
So, I'm to go and choose
Reader. I just want it to read.
Normally, what you see
here as you say I want
to assign access to
an Azure ID user,
or group, or an application.
This is now changed.
Now, what you're going to
see, is you're going to see
all the other resources
that are unable to use MSI.
>> Got it. In this case,
we have function apps,
apps services, virtual machines,
and virtual machines skill sets,
and so we're going to
go and click on VMs.
I'm going to go ahead
and pick a subscription
which is the one
that I'm running on,
and then what you'll
see here is when I say,
hey my VM is maybe running
on marketing prod,
there's going to be
a list of all the VMs
that currently have
been enabled for MSI.
>> Got it.
>> So, it's not going
to list just every VM.
It's only the VM that
have an MSI identity.
>> Perfect.
>> So, let's go ahead
and pick Azure Friday,
and then we're going
to click "Save".
>> And now it will be
added almost like a user here
where I can then go apply
the normal permission.
>> So, now if we go
and scroll down,
you'll see that Azure Friday
is listed there.
>> As a reader.
>> So, now let's go ahead
back to the clock show.
So, maximize it, and let's go
execute that same call
again and see what happens.
>> Got it.
>> We got a response.
>> Absolutely. Because
the token didn't change,
but the authorization
of that token did.
>> Exactly.
>> We didn't have to
go back in and ask
for another token,
something like that.
>> Right.
>> And so if we
wanted to go ahead and
revoke those permissions,
we can go and do that
from our backside.
>> Right.
>> Now, the token
will still be there,
but it will no longer basically
have access to that resource.
>> Perfect. Again as a developer,
the one thing that I hate dealing
with service principles
was the expiration.
Eventually it expires,
and I have to either go
into my config file,
I have to go somewhere
close to my app,
and change the key,
or the idea of
that service principle.
What you're telling
me now is that,
should that service principle
behind this MSI expire,
this process is going to
basically take care
of renewing that,
giving me a fresh one
to make sure it works,
and the only way that
only I have to worry
about is RBAC like I
would for anything else.
>> Correct.
>> The first principles
are it's abstract.
>> That is correct.
As long as you have
the MSI identity,
you're good to go.
We'll handle all of
the rotation and the renewals
in the background.
All you need to do is figure out
what resources you need
to have access to.
In the case of
Azure resource manager,
we have things like RBAC.
There's other things
out there that
maybe doesn't don't
have RBAC yet.
>> Okay.
>> We also have
a support for that.
As long as you have a way to
specify here's
a service principle,
here is the ID that you
need to give access to,
we can support that, so we could
look there's
other patterns per say.
>> Got it.
>> So, you could
go to a key vault
which does access policies,
and go to find
an access policy that says,
please accept tokens
from this identity.
>> Got it.
>> So that's for anything
that is running there.
Now let's say, here's
a little bit even
farther is that if
you have a Microsoft Azure
that is running,
and you have a way to
interpret Azure ID tokens,
you can enable that to
understand these as well.
>> Got it.
>> So, it's not just services
that we have there,
it's any service that you really
want to be able to understand
that Azure ID token and can
accept that and can validate it.
>> So, where do I go if I want
to learn more about this?
I know we send a lot of people to
docs so hopefully you're going to
tell me docs@Microsoft.com
has what I need?
>> Yes.
>> Can you show me
what page it is?
>> So, you can go to
docs@Microsoft.com.
We also have a handy
aka.msAzureMSI.
>> Okay.
>> That's going to send you right
to the home page of
our documentation.
>> Perfect.
>> And in here
you're going to find
anything from how does it work,
basically some more diagrams,
and you can go in and basically
explore that to detail.
There's tutorials.
We have a lot of
tutorials that we're
putting together on.
Again, how do you do this with
ARM and with a virtual machine,
or an app service,
all are good stuff.
>> Okay.
>> And then there'll
be more information
about, hey, what's coming,
as well as here's some
of the things that we
know about or are
expecting to see.
>> Perfect. Thank you so much.
We're learning all about
Azure ID Managed Service
Identities here on Azure Friday.
