[!INCLUDE deprecation-note]

This article applies to: ✔️ Basic/Standard ✔️ Enterprise

This article shows you how to enable and disable system-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and CLI.

Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.

If you're unfamiliar with managed identities for Azure resources, see What are managed identities for Azure resources?

::: zone pivot="sc-enterprise"

• An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan.
• Azure CLI version 2.45.0 or higher.
• [!INCLUDE install-app-user-identity-extension]

::: zone-end

::: zone pivot="sc-standard"

• An already provisioned Azure Spring Apps instance. For more information, see Quickstart: Deploy your first application to Azure Spring Apps.
• Azure CLI version 2.45.0 or higher.
• [!INCLUDE install-app-user-identity-extension]

::: zone-end

Creating an app with a system-assigned identity requires setting another property on the application.

To set up a managed identity in the portal, first create an app, and then enable the feature.

1. Create an app in the portal as you normally would. Navigate to it in the portal.
2. Scroll down to the Settings group in the left navigation pane.
3. Select Identity.
4. Within the System assigned tab, switch Status to On. Select Save.

You can enable system-assigned managed identity during app creation or on an existing app.

The following example creates an app named app_name with a system-assigned managed identity, as requested by the --assign-identity parameter.

az spring app create \
    --resource-group <resource-group-name> \
    --name <app-name> \
    --service <service-instance-name> \
    --system-assigned

Use az spring app identity assign command to enable the system-assigned identity on an existing app.

az spring app identity assign \
    --resource-group <resource-group-name> \
    --name <app-name> \
    --service <service-instance-name> \
    --system-assigned

An app can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.

You might need to configure the target resource to enable access from your application. For more information, see Assign a managed identity access to an Azure resource or another resource. For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see Azure services that can use managed identities to access other services.

Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

Removing a system-assigned identity also deletes it from Microsoft Entra ID. Deleting the app resource automatically removes system-assigned identities from Microsoft Entra ID.

Use the following steps to remove system-assigned managed identity from an app that no longer needs it:

1. Sign in to the portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance.
2. Navigate to the desired application and select Identity.
3. Under System assigned/Status, select Off and then select Save:

To remove system-assigned managed identity from an app that no longer needs it, use the following command:

az spring app identity remove \
    --resource-group <resource-group-name> \
    --name <app-name> \
    --service <service-instance-name> \
    --system-assigned

Use the following command to get the client ID from the object/principal ID value:

az ad sp show --id <object-ID> --query appId

• What are managed identities for Azure resources?
• How to use managed identities with Java SDK