Azure Managed Identities allow resources to authenticate to other Azure services without the need to store and manage credentials. Azure Managed Identities should be used whenever possible.
Azure resources fall into two categories where Managed Identities are required.
Orchestrator resources — such as Web Apps, Function Apps, AKS clusters, API Management services, and Azure Data Factory — make outbound calls to other Azure services at runtime. Without a Managed Identity, these resources must rely on stored credentials (passwords, connection strings, or access keys) embedded in configuration, creating opportunities for exposure through misconfigurations, code leaks, or inadequate secret management.
Conditionally flagged resources — such as SQL Server instances configured with Azure AD authentication, or storage accounts and Cognitive Services configured with customer-managed key encryption — require a Managed Identity because those features depend directly on Azure platform authentication. Without an identity block, the configured feature cannot function and the resource falls back to weaker authentication mechanisms.
If credentials used to authenticate Azure resources are exposed — for example through a repository leak, a misconfigured environment, or a compromised deployment pipeline — an attacker can use them to access sensitive Azure services and data. Unlike Managed Identities, leaked credentials remain valid until manually rotated, giving attackers an extended window of access.
This resource type makes outbound calls to Azure services at runtime. Without a Managed Identity, it must rely on stored credentials instead of Azure’s secure token-based authentication.
resource "azurerm_api_management" "example" { # Noncompliant: the identity block is missing
name = "example"
publisher_name = "company"
}
resource "azurerm_api_management" "example" {
name = "example"
publisher_name = "company"
identity {
type = "SystemAssigned"
}
}