πΉ Feature: Managed Identity on Azure Arc-enabled Servers
πΉ What It Does: Hybrid and on-prem servers connected via Azure Arc can now obtain a system-assigned managed identity from Microsoft Entra ID β and use it to authenticate to Azure resources like Key Vault, Storage, or any ARM API. No client secrets baked into config files. No manual service account rotations. Just a token on demand via the local IMDS endpoint. π
What Is It Giving You:
β
Zero Stored Credentials: Workloads on your on-prem or multicloud servers authenticate to Azure without storing passwords, certificates, or service principal secrets locally. Microsoft Entra ID issues short-lived tokens via the local IMDS endpoint β just like Azure VMs.
β
Identical Pattern as Azure VMs: The IMDS_ENDPOINT (http://localhost:40342) and IDENTITY_ENDPOINT environment variables are populated automatically. Code that already uses managed identities on Azure VMs works on Arc-enabled servers with zero changes.
β
Hardened Token Acquisition: Token requests use a challenge-response flow β only higher-privileged users or groups (Admins / himds) can read the secret file to obtain tokens. Random processes canβt just grab tokens.
β
Direct Key Vault Integration: Pull TLS certificates, API keys, and connection strings into IIS, NGINX, or any app without baking secrets into deployment scripts. Key Vault handles rotation for your entire fleet.
π https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
