Passwordless Architecture with Managed Identities

# Passwordless Architecture with Managed Identities *This article is Part 3, Chapter 3.2 of the **AZ-204 Exam Refresher** series. We cover one of the exam's highest-value security topics: Managed Identities — the mechanism that lets Azure resources authenticate to other Azure services without any credentials in your code.* --- ## Introduction Here's a scenario you've probably seen: a developer hard-codes a connection string in a config file, checks it into source control, and suddenly the company's database credentials are on GitHub. Security nightmare. **Managed Identities** eliminate this problem entirely. Instead of giving your App Service a username and password to connect to a database or storage account, you give it an *identity* — a service principal that Azure manages automatically. No secrets, no rotation, no accidental leaks. The exam loves this topic because it's the "right answer" to nearly every "how do you securely connect service A to service B" question. --- ## Core Concepts ### System-Assigned vs User-Assigned There are two flavors of Managed Identity: | Type | Lifecycle | Shared Across Resources | Best For | |---|---|---|---| | **System-Assigned** | Tied to the resource — deleted with it | ❌ One resource only | Single-purpose services | | **User-Assigned** | Independent resource — exists on its own | ✅ Multiple resources | Shared identity, microservices | **System-Assigned** is like a building access badge that's printed with your name — it only