Data Factory managed identity

Security for Data Factory managed identity starts with knowing who can configure it, who can read its evidence, and which identities, secrets, network paths, or data stores it depends on. Focus on least-privilege RBAC, Key Vault permissions, user-assigned identity governance, credential review, conditional access considerations, and audit logging. Use least privilege, managed identities where appropriate, private or approved network paths, and diagnostic logging that is reviewed regularly. Document the owner, approval path, and exception process before production use. During incidents, prove whether access, policy, data, or network controls changed recently instead of relying on stale assumptions. Record the current owner, logging path, approval, and emergency exception process.

Cost for Data Factory managed identity is not only the direct service charge. Watch duplicated identities, overprovisioned roles, failed retries, support time, secret cleanup, and separate environments with unnecessary access scope. Small configuration choices can multiply across environments, schedules, regions, or repeated runs. Use budgets, tags, owner reports, and run history to separate valuable usage from avoidable waste. Before expanding scope, estimate volume, retention, test activity, and support effort. After rollout, compare expected cost with actual usage and capture remediation tasks for unused resources, noisy settings, or oversized paths. Review cleanup tasks and expected usage before approving wider rollout. Review cleanup tasks and expected usage before approving wider rollout.

Reliability for Data Factory managed identity means the workload still behaves predictably when dependencies fail, schemas change, policies update, or traffic spikes. Plan around identity lifecycle, role propagation delays, resource moves, linked service support, fallback access, and recovery when permissions are removed. Monitor both the Azure resource and the user-visible symptom, because the first warning may appear in logs, metrics, latency, missing data, or failed background work. Keep rollback steps and dependency owners visible in the runbook. Test permission loss, stale configuration, regional events, and partial deployment failures before production reliance. Record tested fallback steps and the first alert responders should trust.

Performance for Data Factory managed identity depends on how quickly the related workflow produces trustworthy results without overloading sources, agents, networks, or downstream services. Pay attention to token acquisition, role propagation, connector authentication latency, Key Vault lookup time, and retries caused by permission or firewall failures. Measure the user-visible or operator-visible outcome, not just whether the resource exists. For production changes, compare baseline and post-change latency, throughput, error rate, and queue behavior. Tune in small steps, because aggressive parallelism, broad filters, or oversized test data can create throttling and hide the real bottleneck. Retest after network, source, sink, or dependency changes are released.

Operations for Data Factory managed identity should be repeatable and easy for a second engineer to verify. The runbook should cover principal inventory, access reviews, role assignment evidence, connector tests, runbook escalation, and change records for permission updates. Keep naming, tags, dashboards, tickets, and infrastructure definitions aligned so support teams do not rely on memory. Use read-only CLI commands for routine evidence, and require review before mutating commands. After rollout, compare live state with approved design, check first signals, and record owner follow-up before closing the change. Keep before-and-after evidence linked to the ticket, dashboard, and owning team. Keep before-and-after evidence linked to the ticket, dashboard, and owning team.