{"id":56770,"date":"2025-11-05T09:17:34","date_gmt":"2025-11-04T23:17:34","guid":{"rendered":"https:\/\/www.cloudproinc.com.au\/?p=56770"},"modified":"2025-11-05T09:17:37","modified_gmt":"2025-11-04T23:17:37","slug":"securely-use-managed-identity-in-production-and-azure-cli-locally","status":"publish","type":"post","link":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/","title":{"rendered":"Securely use Managed Identity in Production and Azure CLI Locally"},"content":{"rendered":"\n<p>In this blog post Securely use Managed Identity in Production and Azure CLI Locally we will show a simple, safe way to authenticate apps in Azure without storing secrets, while keeping local development fast.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>The idea is straightforward. In production, your app uses Azure Managed Identity to get tokens automatically from Azure Active Directory (Entra ID). Locally, developers sign in with the Azure CLI, and the same code picks up those credentials. One code path. Two environments. No secrets.<\/p>\n\n\n\n<p>This pattern keeps operations secure and predictable, and it keeps developers unblocked. Let\u2019s walk through the why, the tech behind it, and concrete steps to implement it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-technology-behind-it\">The technology behind it<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-managed-identity\">Managed Identity<\/h3>\n\n\n\n<p>Managed Identity (MI) is a first-class identity for Azure resources. Azure hosts and rotates its credentials. Your code requests an access token for a resource (like Key Vault or Storage) and Azure returns it if the identity has the right role. There are two types:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>System-assigned: Tied to a single resource (VM, App Service, Function, Container App). Lifecycle follows the resource.<\/li>\n\n\n\n<li>User-assigned: A reusable identity you can attach to multiple resources. Good for multi-app scenarios or AKS with Workload Identity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-oauth-2-0-and-tokens\">OAuth 2.0 and tokens<\/h3>\n\n\n\n<p>Under the hood, Azure AD issues OAuth 2.0 access tokens for resource-specific scopes (for example, https:\/\/vault.azure.net\/.default for Key Vault). The Azure SDKs handle token acquisition and refresh.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-defaultazurecredential\">DefaultAzureCredential<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/category\/microsoft-azure\/\">Azure<\/a> SDKs offer <em>DefaultAzureCredential<\/em>, which tries multiple credential sources in order. In Azure, it finds Managed Identity. On a developer machine, it falls back to the Azure CLI (after checking environment variables and other developer tools). This lets the same code work everywhere.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-azure-cli-for-local-development\">Azure CLI for local development<\/h3>\n\n\n\n<p>Developers run <code>az login<\/code> to authenticate. The Azure SDK reads the CLI\u2019s cached token via the <em>AzureCliCredential<\/em> step inside <em>DefaultAzureCredential<\/em>. No secrets, no config files with passwords.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-architecture-at-a-glance\">Architecture at a glance<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Production: App with Managed Identity \u2192 Azure AD issues tokens \u2192 App calls Azure services (Key Vault, Storage, SQL, etc.).<\/li>\n\n\n\n<li>Local: Developer logs in with Azure CLI \u2192 Same code uses <em>DefaultAzureCredential<\/em> \u2192 App calls the same Azure services.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-production-setup-with-managed-identity\">Production setup with Managed Identity<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-choose-identity-type\">1) Choose identity type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Small, single app: system-assigned MI is simplest.<\/li>\n\n\n\n<li>Multiple apps or AKS: user-assigned MI gives you reuse and separation of duties.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-create-a-user-assigned-identity-optional\">2) Create a user-assigned identity (optional)<\/h3>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-781347a1b01041d67574a88fe154d1e2\"><code>az identity create -g &lt;rg&gt; -n &lt;mi-name&gt; -l &lt;region&gt;\naz identity show -g &lt;rg&gt; -n &lt;mi-name&gt; --query \"{clientId:clientId, principalId:principalId, id:id}\"\n<\/code><\/pre>\n\n\n\n<p>Note the <code>clientId<\/code> (for code) and <code>principalId<\/code> (for role assignments).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-enable-managed-identity-on-your-compute\">3) Enable Managed Identity on your compute<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>App Service (system-assigned):<br><pre><code>az webapp identity assign -g &lt;rg> -n &lt;app-name><\/code><\/pre><br><\/li>\n\n\n\n<li>App Service (user-assigned):<br><pre><code>az webapp identity assign -g &lt;rg> -n &lt;app-name> --identities &lt;mi-resource-id><\/code><\/pre><br><\/li>\n\n\n\n<li>VM or VMSS:<br><pre><code>az vm identity assign -g &lt;rg> -n &lt;vm-name><\/code><\/pre><br><\/li>\n\n\n\n<li>Azure Container Apps:<br><pre><code>az containerapp identity assign -g &lt;rg> -n &lt;app-name> --system-assigned<\/code><\/pre><br><\/li>\n\n\n\n<li>AKS workloads: Use Azure AD Workload Identity with a user-assigned MI (recommended over deprecated AAD Pod Identity). Configure ServiceAccount, federated identity, and binding to the MI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-assign-least-privilege-roles\">4) Assign least-privilege roles<\/h3>\n\n\n\n<p>Give the identity data-plane roles on the target resources. Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Key Vault: Key Vault Secrets User<\/li>\n\n\n\n<li>Storage (Blobs): Storage Blob Data Contributor<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-4f9a3fca9507b6b4862ff4a04e0ec7bb\"><code># Scope to a specific resource for least privilege\naz role assignment create \\\n  --assignee-object-id &lt;principalId-of-mi&gt; \\\n  --assignee-principal-type ServicePrincipal \\\n  --role \"Key Vault Secrets User\" \\\n  --scope &lt;key-vault-resource-id&gt;\n\naz role assignment create \\\n  --assignee-object-id &lt;principalId-of-mi&gt; \\\n  --assignee-principal-type ServicePrincipal \\\n  --role \"Storage Blob Data Contributor\" \\\n  --scope &lt;storage-account-resource-id&gt;\n<\/code><\/pre>\n\n\n\n<p>Prefer RBAC over legacy Key Vault access policies for new deployments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-local-development-with-azure-cli\">Local development with Azure CLI<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-sign-in-and-select-the-right-subscription\">1) Sign in and select the right subscription<\/h3>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-ec17ef420dc35b77d9db967a29c702a4\"><code>az login\naz account list --output table\naz account set --subscription &lt;subscription-id-or-name>\naz account show --output table<\/code><\/pre>\n\n\n\n<p>If you work across tenants, add <code>--tenant &lt;tenant-id&gt;<\/code> to <code>az login<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-run-the-app-with-defaultazurecredential\">2) Run the app with DefaultAzureCredential<\/h3>\n\n\n\n<p>DefaultAzureCredential will try Managed Identity in Azure. Locally, it will use your Azure CLI sign-in (unless you explicitly exclude it). That means the code below is the same in both places.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-code-examples-using-defaultazurecredential\">Code examples using DefaultAzureCredential<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-net-c-key-vault-secret-and-blob-listing\">.NET (C#) \u2014 Key Vault secret and Blob listing<\/h3>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-e1ccbcb8d919551a52e3c6b88a09ae24\"><code>using Azure.Identity;\nusing Azure.Security.KeyVault.Secrets;\nusing Azure.Storage.Blobs;\n\nvar credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {\n    \/\/ Good practice to disable CLI in production\n    ExcludeAzureCliCredential = Environment.GetEnvironmentVariable(\"ASPNETCORE_ENVIRONMENT\") == \"Production\"\n});\n\n\/\/ If using user-assigned MI, specify client ID (or set AZURE_CLIENT_ID)\n\/\/ var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {\n\/\/     ManagedIdentityClientId = Environment.GetEnvironmentVariable(\"AZURE_CLIENT_ID\")\n\/\/ });\n\n\/\/ Key Vault\nvar kvUri = new Uri(Environment.GetEnvironmentVariable(\"KEY_VAULT_URI\"));\nvar secretClient = new SecretClient(kvUri, credential);\nvar secret = await secretClient.GetSecretAsync(\"app-connection-string\");\nConsole.WriteLine($\"Secret length: {secret.Value.Value.Length}\");\n\n\/\/ Storage\nvar blobServiceClient = new BlobServiceClient(new Uri(Environment.GetEnvironmentVariable(\"BLOB_ENDPOINT\")), credential);\nawait foreach (var container in blobServiceClient.GetBlobContainersAsync())\n{\n    Console.WriteLine(container.Name);\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-python-key-vault-secret\">Python \u2014 Key Vault secret<\/h3>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-80d2d7949ca636a1e900d3061c66cda4\"><code>from azure.identity import DefaultAzureCredential\nfrom azure.keyvault.secrets import SecretClient\nimport os\n\nenv = os.getenv(\"ENVIRONMENT\", \"Dev\")\ncredential = DefaultAzureCredential(exclude_cli_credential=(env == \"Production\"))\n# For user-assigned MI: DefaultAzureCredential(managed_identity_client_id=os.getenv(\"AZURE_CLIENT_ID\"))\n\nkv_uri = os.getenv(\"KEY_VAULT_URI\")\nsecret_client = SecretClient(vault_url=kv_uri, credential=credential)\nsecret = secret_client.get_secret(\"app-connection-string\")\nprint(len(secret.value))\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-node-js-blob-listing\">Node.js \u2014 Blob listing<\/h3>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-b8c073a52480d1186162cd02ff99fa8e\"><code>const { DefaultAzureCredential } = require(\"@azure\/identity\");\nconst { BlobServiceClient } = require(\"@azure\/storage-blob\");\n\nconst env = process.env.NODE_ENV || \"development\";\nconst credential = new DefaultAzureCredential({\n  excludeAzureCliCredential: env === \"production\",\n  \/\/ For user-assigned MI: managedIdentityClientId: process.env.AZURE_CLIENT_ID\n});\n\nconst blobEndpoint = process.env.BLOB_ENDPOINT; \/\/ e.g. https:\/\/&lt;account>.blob.core.windows.net\nconst client = new BlobServiceClient(blobEndpoint, credential);\nfor await (const c of client.listContainers()) {\n  console.log(c.name);\n}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-environment-specific-controls\">Environment-specific controls<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Force-disable CLI in prod: use the SDK options shown above (ExcludeAzureCliCredential\/exclude_cli_credential).<\/li>\n\n\n\n<li>User-assigned MI selection: set <code>AZURE_CLIENT_ID<\/code> or pass the client ID via SDK options.<\/li>\n\n\n\n<li>Configuration: store endpoints (Key Vault URI, Storage endpoint) in app settings or Azure App Configuration, not in code.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-step-by-step-checklist\">Step-by-step checklist<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Pick identity type (system-assigned or user-assigned).<\/li>\n\n\n\n<li>Enable MI on your compute.<\/li>\n\n\n\n<li>Assign least-privilege roles on each Azure resource your app needs.<\/li>\n\n\n\n<li>Use <code>DefaultAzureCredential<\/code> in code. No secrets, no connection strings.<\/li>\n\n\n\n<li>Locally: <code>az login<\/code>, set the right subscription, run the app.<\/li>\n\n\n\n<li>In production: optionally exclude CLI credential and pin user-assigned MI via client ID.<\/li>\n\n\n\n<li>Observe logs and verify access; adjust roles if you see 403s.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-common-pitfalls-and-how-to-fix-them\">Common pitfalls and how to fix them<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>403 Forbidden to a service: The MI lacks the data-plane role on that resource. Assign the correct role at the smallest scope.<\/li>\n\n\n\n<li>It works locally but fails in prod: You may be using your personal CLI permissions. Exclude CLI in prod and ensure the MI has roles.<\/li>\n\n\n\n<li>Multiple identities on one resource: Provide the user-assigned MI\u2019s client ID to the SDK so it knows which one to use.<\/li>\n\n\n\n<li>Key Vault using access policies: Prefer RBAC for new deployments to match how other services authorize.<\/li>\n\n\n\n<li>Wrong subscription: Check <code>az account show<\/code> and set the intended subscription before testing locally.<\/li>\n\n\n\n<li>AKS pods need identity: Use Azure AD Workload Identity with a user-assigned MI mapped to a Kubernetes ServiceAccount.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-security-and-operations-tips\">Security and operations tips<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Least privilege everywhere. Avoid broad roles like Contributor for app identities.<\/li>\n\n\n\n<li>Separate identities per app or boundary. This simplifies audits and incident response.<\/li>\n\n\n\n<li>Log token usage paths. The Azure SDKs can emit helpful telemetry and request IDs.<\/li>\n\n\n\n<li>Automate role assignments in IaC (Bicep\/Terraform) to keep environments consistent.<\/li>\n\n\n\n<li>Rotate nothing: one of the benefits of MI is Azure rotates credentials for you.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-putting-it-all-together\">Putting it all together<\/h2>\n\n\n\n<p>This pattern keeps production secure and local development smooth. In production, Managed Identity eliminates secrets and centralizes authorization in Azure AD. Locally, Azure CLI lets developers authenticate with their own accounts while reusing the same code path. The glue is <em>DefaultAzureCredential<\/em>.<\/p>\n\n\n\n<p>At CloudProinc.com.au we recommend adopting this approach as your default for new services. Start small: enable MI on one app, grant a single data-plane role, and switch the SDK to DefaultAzureCredential. You\u2019ll get immediate security wins with minimal code changes.<\/p>\n\n\n\n<ul class=\"wp-block-yoast-seo-related-links yoast-seo-related-links\">\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2025\/08\/08\/use-azure-managed-identity-with-azure-automation-powershell\/\">Use Azure Managed Identity with Azure Automation PowerShell<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cloudproinc.azurewebsites.net\/index.php\/2024\/09\/13\/effortless-web-app-deployment-with-azure-cli\/\">Effortless Web App Deployment with Azure CLI<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cloudproinc.azurewebsites.net\/index.php\/2024\/08\/01\/automating-access-to-microsoft-graph-api-using-azure-pipelines\/\">Automating Access to Microsoft Graph API Using Azure Pipelines<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cloudproinc.com.au\/index.php\/2024\/07\/25\/assigning-local-admins-to-windows-11-through-intune\/\">Assigning Local Admins to Windows 11 through Intune<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudproinc.com.au\/index.php\/2025\/07\/08\/how-to-authenticate-to-azure-cli-with-a-service-principal\/\">How to Authenticate to Azure CLI with a Service Principal<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A clean pattern: Managed Identity in prod, Azure CLI for local dev. Practical steps, code, and gotchas to keep secrets out and developers productive.<\/p>\n","protected":false},"author":1,"featured_media":56771,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Securely use Managed Identity in Production and Azure CLI Locally","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16,13],"tags":[],"class_list":["post-56770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-azure","category-blog"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Securely use Managed Identity in Production and Azure CLI Locally - CPI Consulting<\/title>\n<meta name=\"description\" content=\"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securely use Managed Identity in Production and Azure CLI Locally\" \/>\n<meta property=\"og:description\" content=\"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/\" \/>\n<meta property=\"og:site_name\" content=\"CPI Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-04T23:17:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-04T23:17:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cloudproinc.com.au\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"CPI Staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"CPI Staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/\"},\"author\":{\"name\":\"CPI Staff\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/person\\\/192eeeb0ce91062126ce3822ae88fe6e\"},\"headline\":\"Securely use Managed Identity in Production and Azure CLI Locally\",\"datePublished\":\"2025-11-04T23:17:34+00:00\",\"dateModified\":\"2025-11-04T23:17:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/\"},\"wordCount\":971,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/wp-content\\\/uploads\\\/2025\\\/11\\\/securely-use-managed-identity-in-production-and-azure-cli-locally.png\",\"articleSection\":[\"Azure\",\"Blog\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/\",\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/\",\"name\":\"Securely use Managed Identity in Production and Azure CLI Locally - CPI Consulting\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/wp-content\\\/uploads\\\/2025\\\/11\\\/securely-use-managed-identity-in-production-and-azure-cli-locally.png\",\"datePublished\":\"2025-11-04T23:17:34+00:00\",\"dateModified\":\"2025-11-04T23:17:37+00:00\",\"description\":\"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#primaryimage\",\"url\":\"\\\/wp-content\\\/uploads\\\/2025\\\/11\\\/securely-use-managed-identity-in-production-and-azure-cli-locally.png\",\"contentUrl\":\"\\\/wp-content\\\/uploads\\\/2025\\\/11\\\/securely-use-managed-identity-in-production-and-azure-cli-locally.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/2025\\\/11\\\/05\\\/securely-use-managed-identity-in-production-and-azure-cli-locally\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.cloudproinc.com.au\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securely use Managed Identity in Production and Azure CLI Locally\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#website\",\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/\",\"name\":\"Cloud Pro Inc - CPI Consulting Pty Ltd\",\"description\":\"Cloud, AI &amp; Cybersecurity Consulting | Melbourne\",\"publisher\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cloudproinc.com.au\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#organization\",\"name\":\"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd\",\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/favfinalfile.png\",\"contentUrl\":\"\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/favfinalfile.png\",\"width\":500,\"height\":500,\"caption\":\"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd\"},\"image\":{\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cloudproinc.com.au\\\/#\\\/schema\\\/person\\\/192eeeb0ce91062126ce3822ae88fe6e\",\"name\":\"CPI Staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g\",\"caption\":\"CPI Staff\"},\"sameAs\":[\"http:\\\/\\\/www.cloudproinc.com.au\"],\"url\":\"https:\\\/\\\/cloudproinc.com.au\\\/index.php\\\/author\\\/cpiadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Securely use Managed Identity in Production and Azure CLI Locally - CPI Consulting","description":"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/","og_locale":"en_US","og_type":"article","og_title":"Securely use Managed Identity in Production and Azure CLI Locally","og_description":"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.","og_url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/","og_site_name":"CPI Consulting","article_published_time":"2025-11-04T23:17:34+00:00","article_modified_time":"2025-11-04T23:17:37+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/cloudproinc.com.au\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png","type":"image\/png"}],"author":"CPI Staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"CPI Staff","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#article","isPartOf":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/"},"author":{"name":"CPI Staff","@id":"https:\/\/cloudproinc.com.au\/#\/schema\/person\/192eeeb0ce91062126ce3822ae88fe6e"},"headline":"Securely use Managed Identity in Production and Azure CLI Locally","datePublished":"2025-11-04T23:17:34+00:00","dateModified":"2025-11-04T23:17:37+00:00","mainEntityOfPage":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/"},"wordCount":971,"commentCount":0,"publisher":{"@id":"https:\/\/cloudproinc.com.au\/#organization"},"image":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#primaryimage"},"thumbnailUrl":"\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png","articleSection":["Azure","Blog"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/","url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/","name":"Securely use Managed Identity in Production and Azure CLI Locally - CPI Consulting","isPartOf":{"@id":"https:\/\/cloudproinc.com.au\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#primaryimage"},"image":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#primaryimage"},"thumbnailUrl":"\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png","datePublished":"2025-11-04T23:17:34+00:00","dateModified":"2025-11-04T23:17:37+00:00","description":"Learn how to securely use Managed Identity in Production and Azure CLI locally to authenticate apps without storing secrets.","breadcrumb":{"@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#primaryimage","url":"\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png","contentUrl":"\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/05\/securely-use-managed-identity-in-production-and-azure-cli-locally\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cloudproinc.com.au\/"},{"@type":"ListItem","position":2,"name":"Securely use Managed Identity in Production and Azure CLI Locally"}]},{"@type":"WebSite","@id":"https:\/\/cloudproinc.com.au\/#website","url":"https:\/\/cloudproinc.com.au\/","name":"Cloud Pro Inc - CPI Consulting Pty Ltd","description":"Cloud, AI &amp; Cybersecurity Consulting | Melbourne","publisher":{"@id":"https:\/\/cloudproinc.com.au\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cloudproinc.com.au\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cloudproinc.com.au\/#organization","name":"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd","url":"https:\/\/cloudproinc.com.au\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cloudproinc.com.au\/#\/schema\/logo\/image\/","url":"\/wp-content\/uploads\/2022\/01\/favfinalfile.png","contentUrl":"\/wp-content\/uploads\/2022\/01\/favfinalfile.png","width":500,"height":500,"caption":"Cloud Pro Inc - Cloud Pro Inc - CPI Consulting Pty Ltd"},"image":{"@id":"https:\/\/cloudproinc.com.au\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cloudproinc.com.au\/#\/schema\/person\/192eeeb0ce91062126ce3822ae88fe6e","name":"CPI Staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d96eeb53b791d92c8c50dd667e3beec92c93253bb6ff21c02cfa8ca73665c70?s=96&d=mm&r=g","caption":"CPI Staff"},"sameAs":["http:\/\/www.cloudproinc.com.au"],"url":"https:\/\/cloudproinc.com.au\/index.php\/author\/cpiadmin\/"}]}},"jetpack_featured_media_url":"\/wp-content\/uploads\/2025\/11\/securely-use-managed-identity-in-production-and-azure-cli-locally.png","jetpack-related-posts":[{"id":56780,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/11\/10\/security-best-practices-for-azure-ai-services\/","url_meta":{"origin":56770,"position":0},"title":"Security Best Practices for Azure AI Services","author":"CPI Staff","date":"November 10, 2025","format":false,"excerpt":"Practical, step-by-step guidance to secure Azure AI services end to end\u2014identity, networks, data, prompts, and monitoring\u2014so your teams can innovate confidently without exposing your organisation.","rel":"","context":"In &quot;Azure AI Services&quot;","block_context":{"text":"Azure AI Services","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/azure-ai-services\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 1x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 1.5x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 2x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 3x, \/wp-content\/uploads\/2025\/11\/security-best-practices-for-azure-ai-services-in-practice.png 4x"},"classes":[]},{"id":53585,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/08\/08\/use-azure-managed-identity-with-azure-automation-powershell\/","url_meta":{"origin":56770,"position":1},"title":"Use Azure Managed Identity with Azure Automation PowerShell","author":"CPI Staff","date":"August 8, 2025","format":false,"excerpt":"When running scripts in Azure Automation, authentication is often the trickiest part. Your runbooks might need to connect to Azure services, Microsoft Graph, or other APIs \u2014 and that means handling credentials securely. In this guide, Use Azure Managed Identity with Azure Automation PowerShell, we\u2019ll focus specifically on User-assigned Managed\u2026","rel":"","context":"In &quot;Azure&quot;","block_context":{"text":"Azure","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/microsoft-azure\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2025\/08\/Use-Managed-Identity-Azure-Automation.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2025\/08\/Use-Managed-Identity-Azure-Automation.png 1x, \/wp-content\/uploads\/2025\/08\/Use-Managed-Identity-Azure-Automation.png 1.5x, \/wp-content\/uploads\/2025\/08\/Use-Managed-Identity-Azure-Automation.png 2x"},"classes":[]},{"id":53463,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/07\/08\/how-to-authenticate-to-azure-cli-with-a-service-principal\/","url_meta":{"origin":56770,"position":2},"title":"How to Authenticate to Azure CLI with a Service Principal","author":"CPI Staff","date":"July 8, 2025","format":false,"excerpt":"In this blog post, we'll show you how to authenticate to Azure CLI with a Service Principal and login to Azure. Azure CLI is a command-line utility written in Python that allows users to manage Azure resources programmatically. It is widely used by DevOps engineers, developers, and IT professionals to\u2026","rel":"","context":"In &quot;Azure&quot;","block_context":{"text":"Azure","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/microsoft-azure\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2024\/10\/Creating-a-Text-to-Speech-Power-App-Using-OpenAI-Whisper.webp","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2024\/10\/Creating-a-Text-to-Speech-Power-App-Using-OpenAI-Whisper.webp 1x, \/wp-content\/uploads\/2024\/10\/Creating-a-Text-to-Speech-Power-App-Using-OpenAI-Whisper.webp 1.5x, \/wp-content\/uploads\/2024\/10\/Creating-a-Text-to-Speech-Power-App-Using-OpenAI-Whisper.webp 2x"},"classes":[]},{"id":492,"url":"https:\/\/cloudproinc.com.au\/index.php\/2024\/08\/01\/automating-access-to-microsoft-graph-api-using-azure-pipelines\/","url_meta":{"origin":56770,"position":3},"title":"Automating Access to Microsoft Graph API Using Azure Pipelines","author":"CPI Staff","date":"August 1, 2024","format":false,"excerpt":"This Azure DevOps pipelines article will show how we automate access to Microsoft Graph API using Azure DevOps pipelines. Azure pipelines is an Azure DevOps service that allows us to automate the deployment of applications, services and changes to cloud environments. Microsoft Graph API is the underlining API service that\u2026","rel":"","context":"In &quot;Azure devOps&quot;","block_context":{"text":"Azure devOps","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/azure-devops\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2024\/08\/Automating-Access-to-Microsoft-Graph-Using-Azure-DevOps-Pipelines.webp","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2024\/08\/Automating-Access-to-Microsoft-Graph-Using-Azure-DevOps-Pipelines.webp 1x, \/wp-content\/uploads\/2024\/08\/Automating-Access-to-Microsoft-Graph-Using-Azure-DevOps-Pipelines.webp 1.5x, \/wp-content\/uploads\/2024\/08\/Automating-Access-to-Microsoft-Graph-Using-Azure-DevOps-Pipelines.webp 2x, \/wp-content\/uploads\/2024\/08\/Automating-Access-to-Microsoft-Graph-Using-Azure-DevOps-Pipelines.webp 3x, \/wp-content\/uploads\/2024\/08\/Automating-Access-to-Microsoft-Graph-Using-Azure-DevOps-Pipelines.webp 4x"},"classes":[]},{"id":53786,"url":"https:\/\/cloudproinc.com.au\/index.php\/2025\/09\/08\/read-json-files-from-azure-app-configuration\/","url_meta":{"origin":56770,"position":4},"title":"Read JSON Files from Azure App Configuration","author":"CPI Staff","date":"September 8, 2025","format":false,"excerpt":"This post walks through the steps of reading JSON files from Azure App Configuration, complete with explanations and code samples. Modern cloud applications often rely on configuration management systems to centralize and secure application settings. Azure App Configuration is one such service that allows developers to store and manage configurations\u2026","rel":"","context":"In &quot;Azure&quot;","block_context":{"text":"Azure","link":"https:\/\/cloudproinc.com.au\/index.php\/category\/microsoft-azure\/"},"img":{"alt_text":"","src":"\/wp-content\/uploads\/2025\/09\/read-json-files-from-azure-app-configuration.png","width":350,"height":200,"srcset":"\/wp-content\/uploads\/2025\/09\/read-json-files-from-azure-app-configuration.png 1x, \/wp-content\/uploads\/2025\/09\/read-json-files-from-azure-app-configuration.png 1.5x, \/wp-content\/uploads\/2025\/09\/read-json-files-from-azure-app-configuration.png 2x, \/wp-content\/uploads\/2025\/09\/read-json-files-from-azure-app-configuration.png 3x, \/wp-content\/uploads\/2025\/09\/read-json-files-from-azure-app-configuration.png 4x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/56770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/comments?post=56770"}],"version-history":[{"count":2,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/56770\/revisions"}],"predecessor-version":[{"id":56777,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/posts\/56770\/revisions\/56777"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/media\/56771"}],"wp:attachment":[{"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/media?parent=56770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/categories?post=56770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudproinc.com.au\/index.php\/wp-json\/wp\/v2\/tags?post=56770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}