Managed Identity – Troubleshooting Guide
Managed Identities provide Azure services with an automatically managed identity in Azure AD. This guide helps you diagnose and resolve common issues when using System‑Assigned or User‑Assigned Managed Identities.
Overview
Managed Identities eliminate the need for explicit credentials. They support:
- System‑Assigned Managed Identity (tied to a single Azure resource)
- User‑Assigned Managed Identity (shared across resources)
- Azure AD token acquisition via the Instance Metadata Service (IMDS)
Common Issues
- 401 Unauthorized – The token request fails or the resource does not trust the identity.
- IMDS endpoint unavailable – Network restrictions block
169.254.169.254. - Identity not assigned – The Azure resource does not have a managed identity enabled.
- Insufficient RBAC permissions – The identity lacks the required role on the target resource.
Diagnostic Steps
Open the Azure portal, navigate to your resource (e.g., App Service, VM) and confirm that Identity → System‑assigned is On or that the correct User‑Assigned identity is attached.
curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2023-01-01&resource=https://management.azure.com/" -H "Metadata:true"
If you receive a JSON token, IMDS is reachable. Otherwise, check NSG or firewall rules.
Ensure the managed identity has the necessary role (e.g., Contributor or a custom role) on the target resource or resource group.
az role assignment list --assignee [MANAGED_IDENTITY_OBJECT_ID]
On certain platforms, the token cache may retain expired tokens. Restart the service or clear the cache.
Code Samples
Below are language‑specific examples for acquiring a token using Managed Identity.
Azure SDK for .NET
// Install-Package Azure.Identity
using Azure.Identity;
using Azure.ResourceManager;
// Acquire a token for Azure Resource Manager
var credential = new DefaultAzureCredential();
var client = new ArmClient(credential);
Console.WriteLine("Authenticated successfully");
Azure SDK for Python
# pip install azure-identity azure-mgmt-resource from azure.identity import DefaultAzureCredential from azure.mgmt.resource import ResourceManagementClient credential = DefaultAzureCredential() client = ResourceManagementClient(credential, "") print("Authenticated")
Azure CLI
# Get an access token for the current managed identity TOKEN=$(curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2023-01-01&resource=https://management.azure.com/") echo $TOKEN | jq .
FAQ
- Do I need to rotate tokens manually?
- No. Managed Identity tokens are automatically refreshed by the Azure runtime.
- Can I use Managed Identity with on‑premises resources?
- Only via Azure Arc or Hybrid Connections that expose the IMDS endpoint.
- Why am I seeing “Identity not found” errors?
- Typical causes: the identity isn’t enabled on the resource, or the request is being made from a non‑Azure environment.