az datafactory show --name <factory-name> --resource-group <resource-group>Data Factory managed identity
The Microsoft Entra identity assigned to a Data Factory so pipelines and linked services can access Azure resources without embedded passwords.
Source: Microsoft Learn - Azure Data Factory managed identity Reviewed 2026-05-13
- Exam trap
- Treating Data Factory managed identity as a generic concept instead of checking the exact resource, owner, identity, and dependency path.
- Production check
- Verify the active tenant, subscription, resource group, and resource name before interpreting any result.
Article details and learning context
- Aliases
- Data Factory managed identity, ADF managed identity, data factory managed identity
- Difficulty
- Intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-13
Understand the concept
In plain English
Data Factory managed identity is the Microsoft Entra identity assigned to a Data Factory so pipelines and linked services can access Azure resources without embedded. It helps data engineers, platform teams, security reviewers, and operations teams build reliable cloud data workflows authenticate to supported services, Key Vault, storage, databases, and management APIs with Azure-controlled identity lifecycle. In practice, teams use it to answer which permissions the identity has and whether the pipeline should use system-assigned or user-assigned identity for. Operators should tie the term to one subscription, resource owner, environment, evidence source, and rollback path before changing production. That keeps.
Why it matters
Data Factory managed identity matters because secretless access, reduced credential rotation burden, least-privilege design, audit evidence, and safer automation for data movement become real production responsibilities, not abstract design notes. If teams misunderstand it, they may approve the wrong access, miss a dependency, collect weak evidence, or create avoidable outages. It influences security controls, reliability planning, support ownership, cost review, and change approval. For regulated or high-visibility workloads, overbroad identity permissions can let a pipeline read or write data beyond its approved business scope. A strong definition gives architects, operators, auditors, and application owners a shared operating language that can be tested against live Azure configuration, logs, and business objectives.
Official wording and source
The Microsoft Entra identity assigned to a Data Factory so pipelines and linked services can access Azure resources without embedded passwords. Microsoft Learn places it in Azure Data Factory managed identity; operators confirm scope, configuration, dependencies, and production impact. Use the linked source for exact Azure behavior.
Technical context
Technically, Data Factory managed identity sits in factory identity settings, linked service authentication, credentials, Key Vault references, role assignments, and Microsoft Entra applications. It is configured through system-assigned identity, user-assigned identity associations, credential objects, RBAC assignments, access policies, and linked service auth modes and validated by checking principal IDs, role assignments, access denied errors, linked service tests, Key Vault audit logs, and activity. It connects to Data Factory, Microsoft Entra ID, managed identities, Key Vault, Storage, SQL, Synapse, linked services, and. For production reviews, compare portal state, CLI output, deployment JSON, logs, and runbook notes. Treat it as live configuration.
Exam context
Compare with
Where it is used
Where you see it
- In the Azure portal, Data Factory managed identity appears around factory Identity blade, linked service authentication options, Key Vault access views, IAM role assignments, credential screens, and pipeline errors. Operators use this signal to confirm.
- In infrastructure or source control, Data Factory managed identity shows up in ARM identity blocks, Bicep userAssignedIdentities, Terraform identity settings, role assignment resources, linked service JSON, and Key Vault references. Reviewers compare those files with.
- In monitoring and support evidence, Data Factory managed identity appears through access denied errors, Key Vault audit logs, role assignment changes, failed connection tests, activity run failures, and recent identity updates. These signals help teams.
- During incident review, Data Factory managed identity is visible when teams trace a failed run, blocked dependency, changed identity, or unexpected configuration back to a named owner.
Common situations
- Design a production workload where Data Factory managed identity must be configured, reviewed, and monitored before customer traffic or regulated data is involved.
- Create audit evidence that shows the owner, resource scope, access path, and live Azure state for Data Factory managed identity.
- Troubleshoot incidents where Data Factory managed identity may affect access, dependency behavior, latency, cost, data freshness, or policy compliance.
- Compare portal, CLI, infrastructure-as-code, and monitoring evidence so teams do not approve changes from stale assumptions.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Data Factory managed identity in action for banking Scenario, objectives, solution, measured impact, and takeaway.
Coho Bank, a banking organization, needed to remove SQL passwords from linked services used in fraud reporting. The platform team used Data Factory managed identity to grant the factory identity least-privilege database access.
- Remove embedded credentials from data workflows
- Reduce privileged access findings by thirty percent
- Preserve audit evidence for access reviews
- Keep data movement approvals traceable
Architects designed the solution around Data Factory managed identity by using it to grant the factory identity least-privilege database access. They connected the design to Data Factory, Microsoft Entra ID, managed identities, Key Vault, Storage, SQL, Synapse, linked services, and Azure RBAC so data engineers, security reviewers, operators, and business owners worked from the same evidence. The team documented the owner, Azure scope, identities, network path, monitoring signals, cost assumptions, and rollback step before production release. Engineers captured CLI output, portal configuration, deployment references, and baseline metrics, then compared first-week telemetry with the expected business result. Any mutating change required an approved ticket and a named operator so support teams could reproduce the behavior during an incident.
- Incident triage time fell by thirty-two percent because owners could follow one evidence path.
- Failed or delayed production runs dropped by twenty-eight percent during the first quarter after rollout.
- Audit reviewers accepted the captured configuration, access, and monitoring evidence without extra manual sampling.
- Engineering effort for repeat fixes fell by thirty-five percent because the design was documented and reusable.
Data Factory managed identity is valuable when teams connect the glossary concept to live Azure configuration, measurable outcomes, and accountable operations.
Scenario 02 Data Factory managed identity in action for healthcare Scenario, objectives, solution, measured impact, and takeaway.
Litware Health, a healthcare organization, needed to secure Key Vault-backed connector secrets for clinical data pipelines. The platform team used Data Factory managed identity to use managed identity for vault access.
- Protect regulated data during pipeline execution
- Reduce failed clinical or operational loads by thirty percent
- Preserve evidence for compliance review
- Keep support response within agreed service levels
Architects designed the solution around Data Factory managed identity by using it to use managed identity for vault access. They connected the design to Data Factory, Microsoft Entra ID, managed identities, Key Vault, Storage, SQL, Synapse, linked services, and Azure RBAC so data engineers, security reviewers, operators, and business owners worked from the same evidence. The team documented the owner, Azure scope, identities, network path, monitoring signals, cost assumptions, and rollback step before production release. Engineers captured CLI output, portal configuration, deployment references, and baseline metrics, then compared first-week telemetry with the expected business result. Any mutating change required an approved ticket and a named operator so support teams could reproduce the behavior during an incident.
- Incident triage time fell by thirty-two percent because owners could follow one evidence path.
- Failed or delayed production runs dropped by twenty-eight percent during the first quarter after rollout.
- Audit reviewers accepted the captured configuration, access, and monitoring evidence without extra manual sampling.
- Engineering effort for repeat fixes fell by thirty-five percent because the design was documented and reusable.
Data Factory managed identity is valuable when teams connect the glossary concept to live Azure configuration, measurable outcomes, and accountable operations.
Scenario 03 Data Factory managed identity in action for manufacturing Scenario, objectives, solution, measured impact, and takeaway.
Alpine Manufacturing, a manufacturing organization, needed to standardize access for test and production factories without sharing credentials. The platform team used Data Factory managed identity to assign environment-specific user-assigned identities.
- Stabilize plant or supplier data movement
- Reduce manual recovery work by thirty percent
- Protect sensitive design or production data
- Improve failure detection before shift handoff
Architects designed the solution around Data Factory managed identity by using it to assign environment-specific user-assigned identities. They connected the design to Data Factory, Microsoft Entra ID, managed identities, Key Vault, Storage, SQL, Synapse, linked services, and Azure RBAC so data engineers, security reviewers, operators, and business owners worked from the same evidence. The team documented the owner, Azure scope, identities, network path, monitoring signals, cost assumptions, and rollback step before production release. Engineers captured CLI output, portal configuration, deployment references, and baseline metrics, then compared first-week telemetry with the expected business result. Any mutating change required an approved ticket and a named operator so support teams could reproduce the behavior during an incident.
- Incident triage time fell by thirty-two percent because owners could follow one evidence path.
- Failed or delayed production runs dropped by twenty-eight percent during the first quarter after rollout.
- Audit reviewers accepted the captured configuration, access, and monitoring evidence without extra manual sampling.
- Engineering effort for repeat fixes fell by thirty-five percent because the design was documented and reusable.
Data Factory managed identity is valuable when teams connect the glossary concept to live Azure configuration, measurable outcomes, and accountable operations.
Azure CLI
Use Azure CLI for Data Factory managed identity when you need repeatable evidence from live Azure resources instead of a one-off portal screenshot. Start with read-only checks, compare output with source-controlled intent, and attach the result to the change, incident, or audit record.
Useful for
- Confirm the active subscription, resource group, owner, and current configuration before approving a change involving Data Factory managed identity.
- Export read-only evidence for audits, incidents, migrations, or architecture reviews where Data Factory managed identity affects production behavior.
- Compare CLI output with infrastructure templates and monitoring dashboards to find drift, missing dependencies, or unsafe assumptions.
Before you run a command
- Confirm the tenant, subscription, resource group, region, and exact resource names before trusting command output.
- Prefer read-only commands first; require change approval before commands that create, update, start, stop, rerun, or delete resources.
- Check RBAC, extension requirements, production freeze windows, and whether output may expose identifiers, endpoints, secrets, or sensitive metadata.
What the output tells you
- It shows whether Data Factory managed identity exists in the expected scope and whether live Azure state matches the documented design.
- It exposes identities, endpoints, component names, run history, policy settings, dependency references, or output values not obvious from application code.
- It gives reviewers evidence they can attach to tickets, dashboards, audit notes, deployment records, and post-incident timelines.
Mapped commands
Data Factory managed identity operational checks
directaz datafactory show --name <factory-name> --resource-group <resource-group> --query identityaz role assignment list --assignee <principal-id> --all --output tableaz keyvault show --name <key-vault-name> --resource-group <resource-group>Architecture context
Architecture reviews for Data Factory managed identity should connect the term to resource scope, identity, networking, monitoring, cost ownership, and rollback evidence.
- Security
- Security for Data Factory managed identity starts with knowing who can configure it, who can read its evidence, and which identities, secrets, network paths, or data stores it depends on. Focus on least-privilege RBAC, Key Vault permissions, user-assigned identity governance, credential review, conditional access considerations, and audit logging. Use least privilege, managed identities where appropriate, private or approved network paths, and diagnostic logging that is reviewed regularly. Document the owner, approval path, and exception process before production use. During incidents, prove whether access, policy, data, or network controls changed recently instead of relying on stale assumptions. Record the current owner, logging path, approval, and emergency exception process.
- Cost
- Cost for Data Factory managed identity is not only the direct service charge. Watch duplicated identities, overprovisioned roles, failed retries, support time, secret cleanup, and separate environments with unnecessary access scope. Small configuration choices can multiply across environments, schedules, regions, or repeated runs. Use budgets, tags, owner reports, and run history to separate valuable usage from avoidable waste. Before expanding scope, estimate volume, retention, test activity, and support effort. After rollout, compare expected cost with actual usage and capture remediation tasks for unused resources, noisy settings, or oversized paths. Review cleanup tasks and expected usage before approving wider rollout. Review cleanup tasks and expected usage before approving wider rollout.
- Reliability
- Reliability for Data Factory managed identity means the workload still behaves predictably when dependencies fail, schemas change, policies update, or traffic spikes. Plan around identity lifecycle, role propagation delays, resource moves, linked service support, fallback access, and recovery when permissions are removed. Monitor both the Azure resource and the user-visible symptom, because the first warning may appear in logs, metrics, latency, missing data, or failed background work. Keep rollback steps and dependency owners visible in the runbook. Test permission loss, stale configuration, regional events, and partial deployment failures before production reliance. Record tested fallback steps and the first alert responders should trust.
- Performance
- Performance for Data Factory managed identity depends on how quickly the related workflow produces trustworthy results without overloading sources, agents, networks, or downstream services. Pay attention to token acquisition, role propagation, connector authentication latency, Key Vault lookup time, and retries caused by permission or firewall failures. Measure the user-visible or operator-visible outcome, not just whether the resource exists. For production changes, compare baseline and post-change latency, throughput, error rate, and queue behavior. Tune in small steps, because aggressive parallelism, broad filters, or oversized test data can create throttling and hide the real bottleneck. Retest after network, source, sink, or dependency changes are released.
- Operations
- Operations for Data Factory managed identity should be repeatable and easy for a second engineer to verify. The runbook should cover principal inventory, access reviews, role assignment evidence, connector tests, runbook escalation, and change records for permission updates. Keep naming, tags, dashboards, tickets, and infrastructure definitions aligned so support teams do not rely on memory. Use read-only CLI commands for routine evidence, and require review before mutating commands. After rollout, compare live state with approved design, check first signals, and record owner follow-up before closing the change. Keep before-and-after evidence linked to the ticket, dashboard, and owning team. Keep before-and-after evidence linked to the ticket, dashboard, and owning team.
Common mistakes
- Treating Data Factory managed identity as a generic concept instead of checking the exact resource, owner, identity, and dependency path.
- Running a mutating command in the wrong subscription or resource group because the active CLI context was not verified.
- Assuming the portal, IaC template, CLI output, and monitoring dashboard all represent the same current state without comparing them.