Is Azure Managed Identity enabled for Windows desktop app?

1
votes

I followed the instructions in this tutorial (option #1 auto-configure): https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-windows-desktop

The generated WPF desktop app works fine and I am able to get it to authenticate to my Azure AD account.

Does this mean that the desktop app is using Azure Managed Identity?

If not, what else do I have to do to accomplish this?

My ultimate goal is to be able to modify the desktop application and access secrets in Azure Key Vault, without having to hardcode credentials or use environment variables.

1
azureazure-keyvaultazure-managed-identity
Maybe if the desktop application will run on VM hosted in Azure. Otherwise, if you do not want to hardcode environment variables you can use something like TokenCredential, the idea is that your WPF application will redirect the user interactively to the browser, after entering the credentials the WPF app will receive a token for accessing some Azure service, the same technique is used by Azure CLI on windows - Igor
Check it here Desktop and mobile app sign-in flow - Igor

1 Answers

1
votes

Does this mean that the desktop app is using Azure Managed Identity?

No, it does not mean that, the desktop app from this doc just uses an AAD App for you to login, nothing related to the managed identity(MSI).

If not, what else do I have to do to accomplish this?

If you want to use MSI to access secrets in azure keyvault, you need to run your code in azure services that supported MSI e.g. azure app service, azure VM, etc, MSI is not available anywhere else.

For the code, just use the Azure Key Vault secret client library for .NET, it uses DefaultAzureCredential to auth, it will try several auth ways automatically, one of them is ManagedIdentityCredential i.e. MSI.

var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());

Also you should note, when you use MSI to access azure keyvault secret, it is a non-interactive way and no user will be asked to login(i.e. no user involved), because MSI is essentially a service principal in AAD, when using it to auth, it just makes an API call to the azure instance metadata endpoint to get the token, then use the token to auth.