Managed-Identity

https://www.youtube.com/watch?v=sA_mXKy_dKU

Azure Managed Identity :

Maintaining secure authentication to other Azure services by maintaining no credential in your code. To better understand Managed Identities lets understand few classical scenarios of how we are performing authentication in most Azure services,

1. Scenarios : Keys for Authentication 

In this scenario we there are two services communicating to each other 
Service A is a client sending a key to Service B .

Service B Validates the key check checks the permissions and authorizes  the operations and returns the result. that's fairly simple.

This imposes some challenges -- managing the keys 

This imposes the higher security risk . Because those key are stored within your service configuration and application configuration files, 

While you can move these keys out the of the configuration files to external service like Azure Key Vault. This will let to how can you securely connect to Key Vault without maintaining any keys within your code. 

Second Scenario :

using Azure AD for authenticating those services 

Similar to that of the previous example we are connecting from one service to the other Service A to Service B but we are also using Azure AD

so the Service A sends Identity credential to Azure AD and once those credentials are validated once those credentials are validated a Token is returned to Service A.

Then the Service A then sends this Token to service B - who will connect to Azure AD to get something called "Open ID Configuration" to verify the token - The token and all the authorization layers are verified and then the result is returned from Service B to Service A.

And this provides much better security than the previous example . This provides better security to that of the first example because Azure AD has a bunch of security and smart alerting.

But we are still left with one challenge here because we need to store this Identity credentials somewhere.

They are either present in the application code or on application configuration file or on the service itself. 

Since this Identity Credentials needs to be stored somewhere we can use Managed Identity

It is all about moving the credentials out of your application code configuration files and service 
secondly , its identity is created and tide  to its resource that it was created with. 

That means if we create a Virtual Machine and delete the VM its identity will also be deleted. 

Managed Identity is of a Service Principal of a special type

Let's take the previous example to understand this .

In this case we are going to have an application on Azure Virtual Machine  connecting to a Key-Vault service . It is bit more realistic example . In this case the application will still want to grab a token from Azure AD , 

When you enable Managed Identity a locally run internal end point will be registered . This end point is a small web-service running on the Virtual Machine and this is only accessible within the virtual machine. 

So only your locally running code can actually request tokens from it . And it does it fairly simple it sends . It sends token request with no credentials to this end point it will then use an internally stored credential in the Virtual machine to connect to Azure AD , grab a token from it and pass it to the Application.

Remember , when you register a Managed Identity - The name of the identity will be the same resource in Azure. that was use to create it. In case of the Virtual Machine Identity will be the same as the virtual machine. 

Lastly remember the life cycle is tied to that resource . when you delete the Virtual Machine the Managed Identity / or the service principal within Azure AD will also be deleted. 

What services are supported with Managed Identity.