For example, the following commands add the managed identity from the previous step to a new group called myAzureSQLDBAccessGroup: If you want, you can add the identity to an Azure AD group, then grant SQL Database access to the Azure AD group instead of the identity. The application could fail while connecting to Azure SQL using MSI with the error message: " Unable to connect to SQL. The roles should be configured as per your application's use case. Navigate to the Access Control IAM) > Add Role assignment and choose the necessary storage related permission. Choose the Service Principal (name of the App Service).Navigate to the Access Policies Blade of KeyVault from the Azure Portal.Run the command " msi-validator test-connection -r -e "" " and check if data is returned from the resource or inspect the error message.įrom the below error message, we see that the App Service doesn’t have necessary permissions to access the KeyVault.Do you still face the issue if Managed Identity is disabled and enabled again ?.If Yes, is the device to which the traffic is force tunneled, blocking any Azure Active Directory Dependency ? Does the App Service have regional VNet Integration / is the App in ASE?Īre there any User Defined Routes on the subnet to which the App Service is integrated ?.Otherwise, it indicates that MSI service has issues reaching out to Azure Active Directory to fetch a token. Run the command " msi-validator get-token -r " and check if a token is being returned.The Environmental Variables " MSI_ENDPOINT" and " MSI_SECRET" would have been set automatically. Navigate to Kudu Console ( > Environment Section and search for MSI (Ctrl + F).From the Identity Blade of the App Service, ensure that Managed Identity is turned on.Msi-validator test-connection -r "keyvault" -e " msi-validator.exe test-connection -r storage -e msi-validator.exe test-connection -r sql -e "Data Source=. Initial Catalog= " Valid Arguments for resource = keyvault, storage, sql Drag and drop " msi-validator.exe" to the Kudu console of the App Service ( Commands:.
#KEYVAULT VALIDATOR ZIP FILE#
Download the zip file from the attachments.The link to download this tool is available in the attachments section of the blog. MSI-Validator helps you troubleshoot issues with Managed Identity for Azure App Services.
You could refer to our documentation for more details on this feature here.
The complete list of resources that support this feature are available in the following document:Īzure Services that support managed identities - Azure AD | Microsoft Docs This allows your App Services to easily connect to Azure Resources such as Azure KeyVault, Azure Storage, Azure SQL.
Azure App Services supports an interesting feature called Manage Identity from Azure Active Directory.