Azure Managed IDentity - On Prem Applications

Question

1. We have several apps which are built using .NET are running in VMS(on-prem)
2. All apps will be registered to Azure AD.
3. Can we use user managed identity to access key vault form these on-prem apps

Thanks in advance

Answer 1

No, you cannot use a Managed Identity from on-prem apps.

[...] a managed identity is a service principal of a special type that may only be used with Azure resources.

Source: What are managed identities for Azure resources?

To see a list of resources currently supported, see Services that support managed identities for Azure resources.

You can, however, use a Service Principal to connect to Key Vault from an application running on-premises.
To do so, Use the portal to create an Azure AD application and service principal that can access resources.

For Service Principals, authentication can be done in two different ways: password-based authentication (application secret) and certificate-based authentication. Using a certificate is recommended, but you can also create an application secret.

To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

If you cannot use managed identity, you instead register the application with your Azure AD tenant, as described on Quickstart: Register an application with the Azure identity platform. Registration also creates a second application object that identifies the app across all tenants.