0

This link describes how to retrieve the token for a specific managed identity, if a VM is configured with multiple identities.

What is the behavior if the identity is not specified in the request? For which identity is the token returned? Is it for the system identity, or for the first user identity, or for the first identity that was configured on the VM, or something random?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
md1000
  • 149
  • 8

1 Answers1

1
  • System assigned managed identity will be the default, if no identity is specified in the request.
  • If system assigned is not enabled, and only one user assigned exists, then IMDS will default to that single user assigned.
  • If system assigned is not enabled, and multiple user assigned exist, then specifying the identity in the request is required.

We'll update our docs to include this information. :)

Arturo Lucatero - MSFT
  • 291
  • 1
  • 9
  • Thank you, this was helpful. One more question: what are the limits on the number of Identity objects that can be created per subscription, per region? The limits mentioned at https://learn.microsoft.com/en-us/azure/azure-subscription-service-limits#managed-identity-limits seem to refer to the number of identities that can be assigned to a VM/VMSS, and not the limits regarding number of identities that can be created overall. – md1000 Nov 06 '18 at 04:33
  • Two parts to the answer: A. Depends on the tier of Azure AD you're using. I believe Azure AD free limits to 500k total objects, of which managed identities count towards. If you're using a higher sku, the object count is unlimited. B. Standard Azure Resource Manger limits apply (i.e. number of objects you can have in a resource group, subscription, etc.) Besides that, there's no limits to the number of managed identities you can create. – Arturo Lucatero - MSFT Nov 06 '18 at 22:17