Lab 04: Managed Identities - CLI Solutions
Note: These are CLI/PowerShell alternatives. The portal approach in
solution.mdis recommended for AZ-104 exam preparation.
Prerequisites
powershell
# Login to Azure
az login
# Set subscription
az account set --subscription "Your-Subscription-Name"
# Create resource group
az group create --name rg-identity-lab --location eastusTask 1-3: VM with System-Assigned Identity
powershell
# Create VM with system-assigned identity enabled
az vm create \
--resource-group rg-identity-lab \
--name vm-identity-demo \
--image Ubuntu2204 \
--admin-username azureuser \
--generate-ssh-keys \
--assign-identity
# Verify system-assigned identity
az vm identity show \
--resource-group rg-identity-lab \
--name vm-identity-demo
# Output shows principalId - this is the identity's Object IDTask 4: Grant Key Vault Access
powershell
# Create Key Vault (must be globally unique)
az keyvault create \
--resource-group rg-identity-lab \
--name kv-identity-lab-$(date +%s) \
--location eastus \
--enable-rbac-authorization true
# Get the VM's principal ID
PRINCIPAL_ID=$(az vm identity show \
--resource-group rg-identity-lab \
--name vm-identity-demo \
--query principalId -o tsv)
# Get Key Vault resource ID
KV_ID=$(az keyvault show \
--resource-group rg-identity-lab \
--name kv-identity-lab-xxx \
--query id -o tsv)
# Assign Key Vault Secrets User role
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "Key Vault Secrets User" \
--scope $KV_ID
# Create a secret for testing
az keyvault secret set \
--vault-name kv-identity-lab-xxx \
--name TestSecret \
--value "Hello from managed identity!"Task 5: User-Assigned Managed Identity
powershell
# Create user-assigned managed identity
az identity create \
--resource-group rg-identity-lab \
--name id-shared-services
# Get identity details
az identity show \
--resource-group rg-identity-lab \
--name id-shared-servicesTask 6: Assign User Identity to VM
powershell
# Get identity resource ID
IDENTITY_ID=$(az identity show \
--resource-group rg-identity-lab \
--name id-shared-services \
--query id -o tsv)
# Assign to existing VM
az vm identity assign \
--resource-group rg-identity-lab \
--name vm-identity-demo \
--identities $IDENTITY_ID
# Verify VM now has both identities
az vm identity show \
--resource-group rg-identity-lab \
--name vm-identity-demoTask 7: Storage Account Access for User-Assigned Identity
powershell
# Create storage account (name must be globally unique, lowercase)
STORAGE_NAME="stgidentitylab$(date +%s)"
az storage account create \
--resource-group rg-identity-lab \
--name $STORAGE_NAME \
--sku Standard_LRS \
--location eastus
# Create container
az storage container create \
--account-name $STORAGE_NAME \
--name testcontainer \
--auth-mode login
# Get user-assigned identity principal ID
USER_PRINCIPAL=$(az identity show \
--resource-group rg-identity-lab \
--name id-shared-services \
--query principalId -o tsv)
# Get storage account resource ID
STORAGE_ID=$(az storage account show \
--resource-group rg-identity-lab \
--name $STORAGE_NAME \
--query id -o tsv)
# Assign Storage Blob Data Contributor role
az role assignment create \
--assignee $USER_PRINCIPAL \
--role "Storage Blob Data Contributor" \
--scope $STORAGE_IDTask 8: Verify Role Assignments
powershell
# List role assignments for system-assigned identity
SYSTEM_PRINCIPAL=$(az vm identity show \
--resource-group rg-identity-lab \
--name vm-identity-demo \
--query principalId -o tsv)
az role assignment list \
--assignee $SYSTEM_PRINCIPAL \
--output table
# List role assignments for user-assigned identity
az role assignment list \
--assignee $USER_PRINCIPAL \
--output tableTask 9: Test Access from VM
powershell
# SSH into VM
ssh azureuser@<vm-public-ip>
# Inside VM - Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Login with system-assigned identity
az login --identity
# Test Key Vault access (using system-assigned)
az keyvault secret show \
--vault-name kv-identity-lab-xxx \
--name TestSecret
# Login with specific user-assigned identity
USER_CLIENT_ID=$(az identity show \
--resource-group rg-identity-lab \
--name id-shared-services \
--query clientId -o tsv)
az login --identity --username $USER_CLIENT_ID
# Test storage access (using user-assigned)
az storage blob list \
--account-name $STORAGE_NAME \
--container-name testcontainer \
--auth-mode loginPowerShell Alternative (Az Module)
powershell
# Import Az module
Import-Module Az
# Connect to Azure
Connect-AzAccount
# Create system-assigned identity on existing VM
$vm = Get-AzVM -ResourceGroupName "rg-identity-lab" -Name "vm-identity-demo"
Update-AzVM -ResourceGroupName "rg-identity-lab" -VM $vm -IdentityType SystemAssigned
# Create user-assigned identity
New-AzUserAssignedIdentity `
-ResourceGroupName "rg-identity-lab" `
-Name "id-shared-services" `
-Location "eastus"
# Assign user-assigned identity to VM
$identity = Get-AzUserAssignedIdentity `
-ResourceGroupName "rg-identity-lab" `
-Name "id-shared-services"
$vm = Get-AzVM -ResourceGroupName "rg-identity-lab" -Name "vm-identity-demo"
Update-AzVM -ResourceGroupName "rg-identity-lab" -VM $vm `
-IdentityType UserAssigned `
-IdentityId $identity.Id
# Create role assignment
$principalId = $identity.PrincipalId
$storageAccount = Get-AzStorageAccount `
-ResourceGroupName "rg-identity-lab" `
-Name "stgidentitylab"
New-AzRoleAssignment `
-ObjectId $principalId `
-RoleDefinitionName "Storage Blob Data Contributor" `
-Scope $storageAccount.IdCleanup
powershell
# Delete entire resource group
az group delete --name rg-identity-lab --yes --no-wait
# Or delete individual resources
az vm delete --resource-group rg-identity-lab --name vm-identity-demo --yes
az keyvault delete --name kv-identity-lab-xxx
az keyvault purge --name kv-identity-lab-xxx # If soft-delete enabled
az storage account delete --resource-group rg-identity-lab --name $STORAGE_NAME --yes
az identity delete --resource-group rg-identity-lab --name id-shared-servicesUseful Commands Reference
| Task | Command |
|---|---|
| Enable system identity | az vm identity assign --resource-group RG --name VM |
| Create user identity | az identity create --resource-group RG --name NAME |
| Assign user identity | az vm identity assign --identities ID |
| List role assignments | az role assignment list --assignee PRINCIPAL_ID |
| Get principal ID | az vm identity show --query principalId |
| Login from VM | az login --identity |