In this post, we’ll take a brief look at the difference between an Azure service principal and a managed identity (formerly referred to as a Managed Service Identity or MSI).
What is a service principal or managed service identity?
Lets get the basics out of the way first. In short, a service principal can be defined as:
An application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service or automation tool, when an organisation is using Azure Active Directory.
In essence, service principals help us avoid having to create fake users in Active Directory in order to manage authentication when we need to access Azure resources.
Stepping back a bit, and its important to remember that service principals are defined on a per-tenant basis. This is different to the application in which principals are created - the application sits across every tenant.
Managed identities are often spoken about when talking about service principals, and that’s because its now the preferred approach to managing identities for apps and automation access. In effect, a managed identity is a layer on top of a service principal, removing the need for you to manually create and manage service principals directly.
There are two types of managed identities:
System-assigned: These identities are tied directly to a resource, and abide by that resources’ lifecycle. For instance, if that resource is deleted then the identity too will be removed
User-assigned: These identities are created independent of a resource, and as such can be used between different resources. Removing them is a manual process whenever you see fit
One of the problems with managed identities is that for now only a limited subset of Azure services support using them as an authentication mechanism. If the service you use doesn’t support MI, then you’ll need to either continue to manually create your service/security principals.
So what’s the difference?
Put simply, the difference between a managed identity and a service principal is that a managed identity manages the creation and automatic renewal of a service principal on your behalf.
Update 31/1/20: If you’re using Azure Web Apps, check out our new post on using managed identities with deployment slots