Use Managed Identity for Azure AI services accounts
April 11, 2025 ยท View on GitHub
SYNOPSIS
Configure managed identities to access Azure resources.
DESCRIPTION
Azure AI services (previously known as Cognitive Services) must authenticate to Azure resources such storage accounts. To authenticate to Azure resources, Azure AI can use managed identities.
Using Azure managed identities have the following benefits:
- You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
- You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.
- Managed identities can be used without any additional cost.
RECOMMENDATION
Consider configuring a managed identity for each Azure AI services account.
EXAMPLES
Configure with Azure template
To deploy accounts that pass this rule:
- Set the
identity.typetoSystemAssignedorUserAssigned. - If
identity.typeisUserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
{
"type": "Microsoft.CognitiveServices/accounts",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "S0"
},
"kind": "TextAnalytics",
"properties": {
"publicNetworkAccess": "Disabled",
"networkAcls": {
"defaultAction": "Deny"
},
"disableLocalAuth": true
}
}
Configure with Bicep
To deploy accounts that pass this rule:
- Set the
identity.typetoSystemAssignedorUserAssigned. - If
identity.typeisUserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
sku: {
name: 'S0'
}
kind: 'TextAnalytics'
properties: {
publicNetworkAccess: 'Disabled'
networkAcls: {
defaultAction: 'Deny'
}
disableLocalAuth: true
}
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Cognitive Services accounts should use a managed identity
/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418.
NOTES
Configuration of additional Azure resources is not required for all Azure AI services. This rule will run for the following Azure AI services:
TextAnalytics- Language service.