A user-assigned managed identity is an Azure identity you create once and attach to workloads that need it. Unlike a system-assigned identity, it is not automatically deleted with one app, VM, or service. Teams use it when several resources should share the same permissions, or when an identity must survive blue-green deployments, slot swaps, rebuilds, and resource replacement. It removes stored passwords while keeping identity ownership explicit. That makes it a durable permission anchor for workloads.
UAMI, user managed identity, reusable managed identity
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-05-28
Microsoft Learn
A user-assigned managed identity is a standalone Microsoft Entra identity resource that can be created independently and assigned to one or more Azure resources. It lets workloads authenticate to Azure services without storing credentials while keeping the identity lifecycle separate from any single compute resource.
In Azure architecture, a user-assigned managed identity is a Microsoft Entra service principal represented as an Azure resource. It has a resource ID, client ID, principal ID, tenant, and role assignments. Compute services such as VMs, App Service, Functions, AKS components, automation jobs, and data services can attach it when supported. Access is granted through Azure RBAC or service-specific permissions, while token acquisition happens from the workload environment without embedded secrets. It is governed through Azure Resource Manager.
Why it matters
User-assigned managed identities matter because production systems change faster than their permissions should. If an application is rebuilt, moved to a slot, or deployed in parallel, a system-assigned identity can force new role assignments and break access. A user-assigned identity provides a stable security principal that can be reused, audited, and transferred deliberately. It is also safer than client secrets because there is no password to rotate or leak. The tradeoff is governance: a shared identity must have clear ownership, narrow roles, and review cycles so it does not become a hidden superuser. This balance is why naming, tagging, and scope discipline matter.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
The managed identity resource page shows client ID, principal ID, tenant ID, Azure resource ID, tags, and activity history for the identity. used in automation outputs.
Signal 02
Workload identity settings in App Service, Functions, VM, or AKS configuration list the user-assigned identity attached to the resource. during deployment validation and incident checks.
Signal 03
Role assignment output shows the identity principal granted access to Key Vault, Storage, Container Registry, database, or subscription scopes during quarterly least-privilege access review evidence collection.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Keep the same workload identity through blue-green deployments, slot swaps, or VM replacement.
Grant several related services shared read access to a Key Vault without copying client secrets.
Separate production and nonproduction authorization by giving each environment its own managed identity.
Attach a tightly scoped identity to automation that needs to deploy or inspect resources at a fixed scope.
Replace expired service-principal secrets with identity-based access for Azure-hosted workloads.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Case study 01
SaaS vendor survives blue-green cutovers without access drift
SaaS vendor survives blue-green cutovers without access drift: A user-assigned managed identity keeps authorization stable while the compute layer changes underneath it.
📌Scenario
A SaaS vendor redeployed its API tier every week using blue-green App Service slots. Each replacement created confusion about which identity had Key Vault and Storage permissions.
🎯Business/Technical Objectives
Keep production access stable across slot swaps and rebuilds.
Remove client secrets from application settings within one quarter.
Reduce access-related deployment rollbacks by at least 60 percent.
Give auditors a single workload identity to review per environment.
✅Solution Using User-assigned managed identity
The platform team created one user-assigned managed identity for the production API and separate identities for staging and test. Infrastructure-as-code attached the correct identity to each App Service slot and assigned narrow roles to Key Vault secrets and a Storage account. Deployment outputs recorded resource ID, client ID, and principal ID so application settings and RBAC scripts used the right value. Operators used CLI role-assignment exports during change review and verified token-based access before each cutover. Old service-principal secrets were removed after two successful releases.
📈Results & Business Impact
Access-related rollbacks fell from five per quarter to one.
All API secrets were removed from App Service settings in nine weeks.
Audit evidence collection dropped from three days to six hours per environment.
Slot-swap validation time improved 35 percent because identity no longer changed during replacement.
💡Key Takeaway for Glossary Readers
A user-assigned managed identity keeps authorization stable while the compute layer changes underneath it.
Case study 02
Energy analytics platform controls shared data-lake writes
Energy analytics platform controls shared data-lake writes: Reusable managed identity works well when a shared capability needs stable access without shared secrets.
📌Scenario
An energy analytics team ran several batch services that wrote forecast files to a shared Data Lake Storage account. Developers had been copying service-principal secrets between pipelines.
🎯Business/Technical Objectives
Eliminate copied credentials from batch pipelines and runbooks.
Limit write access to one curated forecast container.
Track which workloads were allowed to use the shared writer identity.
Reduce failed nightly loads caused by expired secrets.
✅Solution Using User-assigned managed identity
The data platform team created a user-assigned managed identity named for the forecast writer capability rather than a single compute resource. Azure Batch tasks and Functions attached that identity where supported, while RBAC granted only the required Storage Blob Data Contributor role on the curated container scope. Pipeline variables referenced the identity client ID instead of storing secrets. Operators used CLI to list role assignments, verify attachment on each workload, and remove the old app registration after a burn-in period. Tags identified the data product owner and rotation-free access pattern.
📈Results & Business Impact
Expired-secret load failures dropped from six in two months to zero after migration.
The identity's role scope was narrowed from account level to one container.
Credential findings in pipeline scans fell 100 percent for the forecast workflow.
Nightly load support time decreased 42 percent because token failures were easier to diagnose.
💡Key Takeaway for Glossary Readers
Reusable managed identity works well when a shared capability needs stable access without shared secrets.
Case study 03
Construction firm limits automation blast radius
Construction firm limits automation blast radius: User-assigned managed identities let automation keep working while governance narrows exactly what it can change.
📌Scenario
A construction firm used automation scripts to create project resource groups for new job sites. The old automation identity had broad Contributor access across the subscription.
🎯Business/Technical Objectives
Separate provisioning automation from human administrator accounts.
Constrain project setup permissions to a controlled management group scope.
Produce clear evidence for quarterly access reviews.
Reduce accidental changes to unrelated production resources.
✅Solution Using User-assigned managed identity
The cloud governance team replaced the broad app registration with a user-assigned managed identity attached to an Azure Automation account. The identity received custom roles that allowed resource group creation, tagging, and policy assignment only under the approved project scope. CLI scripts captured the identity principal ID and exported role assignments before each quarterly review. Activity logs were filtered by that identity to investigate provisioning mistakes. The team also created a second identity for read-only inventory tasks so reporting jobs could not modify resources. They rehearsed removal in staging before applying production policy.
📈Results & Business Impact
Subscription-wide Contributor assignments for automation dropped from three to zero.
Accidental changes outside project scopes fell 83 percent over two quarters.
Quarterly access review preparation shrank from 14 hours to four hours.
New project environment setup stayed under 30 minutes despite tighter controls.
💡Key Takeaway for Glossary Readers
User-assigned managed identities let automation keep working while governance narrows exactly what it can change.
Why use Azure CLI for this?
Azure CLI is one of the best ways to manage user-assigned managed identities because identity work crosses resource, RBAC, and application boundaries. As an Azure engineer, I use CLI to create identities, capture client and principal IDs, attach them to workloads, assign roles at exact scopes, and export evidence for access reviews. The portal is fine for one-off checks, but CLI keeps deployments repeatable and makes drift visible. It also prevents confusion between resource ID, client ID, and object ID during troubleshooting. During incidents, CLI output quickly shows whether the identity exists, is attached, and has the role the application expects.
CLI use cases
Create a user-assigned managed identity and capture its resource ID, client ID, and principal ID for deployment outputs.
Assign a least-privilege role to the identity at a resource group, Key Vault, Storage account, or registry scope.
Attach the identity to an App Service, virtual machine, Function, or other supported Azure workload.
Inventory identities and role assignments to find unused, shared, or overprivileged workload identities.
Before you run CLI
Confirm tenant, subscription, resource group, identity name, target workload, and exact authorization scope before creating assignments.
Use an account that can manage both the identity resource and RBAC at the intended scope.
Decide whether the workload needs client ID, resource ID, or principal ID because each appears in different settings.
Check whether deleting or detaching the identity will break multiple resources that share it.
What output tells you
Client ID is commonly used by application configuration to request the correct user-assigned identity.
Principal ID is the object used in role assignments and access reviews.
Resource ID is used when attaching the identity to Azure resources through ARM, Bicep, or CLI.
Role assignment scope shows how broad the identity's permissions are and where blast radius begins.
Mapped Azure CLI commands
User-assigned managed identity Azure CLI commands
direct
az identity create --name <identity-name> --resource-group <resource-group>
az identitysecureIdentity
az identity show --name <identity-name> --resource-group <resource-group>
az identitydiscoverIdentity
az identity list --resource-group <resource-group> --output table
az identitydiscoverIdentity
az role assignment create --assignee <principal-id> --role <role-name> --scope <scope>
az role assignmentsecureIdentity
az role assignment list --assignee <principal-id> --all --output table
az role assignmentdiscoverIdentity
Architecture context
Architecturally, a user-assigned managed identity is a reusable workload identity, not a human account and not a secret. It should be designed around a specific application capability, such as reading Key Vault secrets, pulling from a registry, writing to Storage, or connecting to a database. The identity belongs in infrastructure-as-code with role assignments, naming standards, and ownership tags. It can support zero-secret deployment patterns and stable access during resource replacement. Good designs avoid one identity for everything, because that makes blast radius and audit findings painful. It is a security dependency that should be promoted, tested, and retired with the application architecture.
Security
Security impact is direct because the identity carries real permissions. User-assigned managed identities remove stored credentials, but they do not remove authorization risk. Assign least-privilege roles at the narrowest scope, separate identities by workload and environment, and review unused or overprivileged assignments. Protect who can attach the identity to resources; otherwise, another workload may inherit access it should not have. Monitor sign-in and resource-access patterns where available, and document emergency removal steps. Avoid using one broad identity across many unrelated services because compromise becomes harder to contain. Conditional access for humans does not protect an overbroad workload identity already attached to compute.
Cost
The identity resource itself is not usually a meaningful cost item, but it affects cost through the actions it authorizes. An overprivileged identity can create expensive resources, read large datasets, trigger automation, or allow workloads to keep running after ownership is unclear. Poor identity design also increases operational cost because access failures take longer to diagnose when one identity serves many applications. FinOps and platform teams should tag identities, link them to workloads, review role scopes, and remove unused identities with their role assignments during decommissioning. Tagging and ownership prevent identities from surviving long after the paid workload was retired completely.
Reliability
Reliability improves when access survives normal deployment changes. A user-assigned identity can remain stable while compute resources are recreated, scaled out, swapped, or replaced, which avoids outages caused by missing role assignments. Reliability still depends on correct attachment, supported service behavior, token acquisition, and downstream permissions. If an identity is deleted or a role assignment is removed, every attached workload can fail at once. Reliable designs treat identity changes like production changes, validate token retrieval after deployment, and maintain rollback instructions for role and attachment changes. Health checks should verify downstream access, not only that the compute resource started successfully after deployment.
Performance
Runtime performance is usually indirect. Managed identity token acquisition is designed to be lightweight, but applications can still create latency by requesting tokens too often, failing to cache them correctly, or retrying authorization failures as if they were transient network errors. A stable user-assigned identity can speed deployments because role assignments do not need to be recreated for every replacement resource. Operators should measure dependency latency separately from token acquisition and watch for throttling or misconfiguration in identity endpoints, SDK settings, and downstream service authorization. Centralized identity reuse can also reduce deployment delays when new instances join an existing permission model cleanly.
Operations
Operators inspect user-assigned managed identities by checking where they are attached, what roles they hold, when they were created, and whether they still have an owner. Common tasks include creating identities, assigning RBAC, attaching to workloads, validating token-based access, removing stale assignments, and responding to access failures. Documentation should capture client ID, principal ID, intended workloads, approved scopes, and break-glass contacts. During incidents, operators compare application errors with role assignment history and identity attachment state before rotating secrets that should no longer exist. They should reconcile Azure Resource Manager state with application configuration because both must reference the same identity correctly after each deployment.
Common mistakes
Confusing client ID, principal ID, and resource ID during attachment or role assignment automation.
Using one shared identity for many unrelated applications because it was convenient during the first rollout.
Granting subscription-wide Contributor when the workload only needs data-plane access to one resource.
Deleting the identity during cleanup without checking every workload and role assignment that depends on it.