Lab 16 - Using Azure Key Vault for Managed Identities

Login type: Azure Resource login

Lab scenario

When you use managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Microsoft Entra authentication.  However, not all Azure services support Microsoft Entra authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the managed identity to access Key Vault to retrieve the credentials.

Estimated time: 35 minutes

Exercise 1 - Use Azure Key Vault to manage Virtual Machine identities

Task 1 - Create a Key Vault

  1. Sign in to Microsoft Azure portal at https://portal.azure.com using a Global administrator account.

  2. At the top of the left navigation bar, select + Create a resource.

  3. In the Search the Marketplace box type in Key Vault.

  4. Select Key Vault from the results.

  5. Select Create.

  6. Fill out all required information as shown below. Make sure that you choose the subscription that you’re using for this lab.

    Note: The Key vault name must be unique. Look for a green checkmark to the right of the field.

  • Resource group - rgSC300KeyVault
  • Key vault name - anyuniquevalue
  1. Select Next.
  • On the Access Configuration page, select the Vault Access Policy radio button.

  1. Select Review + create.

  2. Select Create.

Task 2 - Create a Windows Virtual Machine

  1. Select + Create a resource.

  2. Type Windows 11 in Search the Marketplace search bar.

  3. Select Windows 11 and from the plan dropdown choose Windows 11 Enterprise, version 25H2 or any newer version. Then select Create.

Field Values
VM Name vmKeyVault
Availability options No infrastructure redundancy required
Admin Username adminKeyVault
Password Set a secure password that you can remember
Licensing Confirm you have an eligible license

  1. Make sure you mark the Confirm licensing checkbox.

  2. Use the Next button to get to the Management tab.

  3. On the Management tab, check the box next to Enable system assigned managed identity.

  4. Go through the rest of the experience of creating a virtual machine.

  5. Select Review + Create then select Create.

Task 3 - Create a secret

  1. Navigate to your newly created Key Vault.

  2. Open Objects on the left menu then Select Secrets.

  3. Select + Generate/Import.

  4. In the Create a secret screen, from Upload options leave Manual selected.

  5. Enter a name and value for the secret. The value can be anything you want.

  6. Leave the activation date and expiration date clear, and leave Enabled as Yes.

  7. Select Create to create the secret.

Task 4 - Grant access to Key Vault

  1. Navigate to your newly created Key Vault

  2. Select Access Policies from the menu on the left side.

  3. Select + Create.

  4. In the Add access policy section, under Configure from template (optional), choose Secret Management from the pull-down menu.

  5. Use the Next button to move to the Principal tab.

  6. In the search field enter the name of the VM you created in task 2 - vmKeyVault. Select the VM in the result list and choose Select.

  7. Use the Next button to move to the Review + Create tab.

  8. Select Create.

Task 5 - Access data with Key Vault secret with PowerShell

  1. Go to vmKeyVault virtual machine, select Connect. Select Download RDP file, Keep the downloads file, Open the file and Connect. Then enter the password from Task 2 and select Yes on the Remote Desktop Connection. On Choose privacy settings for your device select Next then Accept.

  2. Open the Windows 11 virtual machine deployed earlier in this lab. In the lab virtual machine, open PowerShell.

  3. In PowerShell, invoke the web request on the tenant to get the token for the local host in the specific port for the VM.

     $Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers @{Metadata="true"}

  4. Next, extract the access token from the response.

     $KeyVaultToken = $Response.access_token

  5. Run the following command to retrieve the secret from Key Vault using the access token:

    Note Replace the placeholder values:

    • <key-vault-name>: Get from the Key Vault Overview page in the Azure portal.
    • <secret-name>: Get from the Secrets page in the Key Vault.
     Invoke-RestMethod -Uri https://<key-vault-name>.vault.azure.net/secrets/<secret-name>?api-version=2016-10-01 -Method GET -Headers @{Authorization="Bearer $KeyVaultToken"}

  6. You should receive a response that looks like the following:

     'My Secret' https://mi-lab-vault.vault.azure.net/secrets/mi-test/50644e90b13249b584c44b9f712f2e51 @{enabled=True; created=16... }

  7. Verify that the response includes the secret value, its URI, and attributes (for example, enabled and created), similar to the following:

     'My Secret' https://mi-lab-vault.vault.azure.net/secrets/mi-test/<version-id> @{enabled=True; created=...}

  8. This secret can be used to authenticate to services that require a name and password.

Exercise summary

In this exercise, you created a Key Vault, deployed a virtual machine with a system-assigned managed identity, granted it access to the vault, and retrieved a secret using the managed identity. This exercise showed how to access secrets without storing credentials in code.