Share via

Managed Identity Isolation to Restrict Access from a VM

Ayoub Ennajah 20 Reputation points
2025-05-22T13:06:49.7366667+00:00

Hello

We are using a system-assigned managed identity attached to a virtual machine to access a storage account . However, any user with local access to the VM can leverage this managed identity to interact with the storage account by querying the Instance Metadata Service (IMDS)

Key Issue:

Is there an official Azure-recommended method to restrict the use of the managed identity to a specific workload (e.g., a system service or application) on the VM, preventing local users from exploiting it?

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 28,986 Reputation points MVP Volunteer Moderator
    2025-05-22T13:13:16.9166667+00:00

    Hi,

    No such option is available. Only restrictions are:

    • Restrict the permissions of the identity to those that are needed for the task.
    • Restrict the access to the VM.
    • One final option that might be close to what you want to achieve is to restrict the access to IMDS to certain processes via Firewall rules but anyone with admin access on the machine will still be able to overcome that by disabling the firewall rules.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.