Use Managed Identity for Azure AI services accounts

April 11, 2025 ยท View on GitHub

SYNOPSIS

Configure managed identities to access Azure resources.

DESCRIPTION

Azure AI services (previously known as Cognitive Services) must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Azure AI can use managed identities.

Using Azure managed identities have the following benefits:

  • You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
  • You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.
  • Managed identities can be used without any additional cost.

RECOMMENDATION

Consider configuring a managed identity for each Azure AI services account.

EXAMPLES

Configure with Azure template

To deploy accounts that pass this rule:

  • Set the identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

{
  "type": "Microsoft.CognitiveServices/accounts",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "S0"
  },
  "kind": "TextAnalytics",
  "properties": {
    "publicNetworkAccess": "Disabled",
    "networkAcls": {
      "defaultAction": "Deny"
    },
    "disableLocalAuth": true
  }
}

Configure with Bicep

To deploy accounts that pass this rule:

  • Set the identity.type to SystemAssigned or UserAssigned.
  • If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'S0'
  }
  kind: 'TextAnalytics'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      defaultAction: 'Deny'
    }
    disableLocalAuth: true
  }
}

Configure with Azure Policy

To address this issue at runtime use the following policies:

NOTES

Configuration of additional Azure resources is not required for all Azure AI services. This rule will run for the following Azure AI services:

  • TextAnalytics - Language service.