Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Managed Identities

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Azure Machine Learning compute instances are using managed identities instead of local authentication to significantly enhance security by eliminating the need to manage or store credentials in code, as the identity is automatically managed by Microsoft Entra ID for secure access to other Azure resources.

Security

Using system-assigned and/or user-assigned managed identities for Machine Learning compute instances enhances security by allowing Azure Machine Learning to authenticate and authorize with other Azure cloud services and resources without the need for explicit credentials. This reduces the risk associated with credential management, allows granular control over access permissions, and provides a seamless and more secure integration with other Microsoft Azure components.

Audit

To determine if your Azure Machine Learning compute instances are configured to use system-assigned and/or user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.

05 Click on the name (link) of the Machine Learning workspace that you want to examine.

06 In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.

07 In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab to list the compute instances provisioned for the selected Azure Machine Learning workspace.

08 Click on the name (link) of the compute instance that you want to examine.

09 Select the Details tab and check the Managed identity section to determine if the selected resource is using managed identities. If there is no System assigned identity or User assigned identity listed in the Managed identity section, instead the following message is displayed: No managed identities, the selected Azure Machine Learning compute instance is not configured to use system-assigned and/or user-assigned managed identities.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 The command output should return the requested Azure Machine Learning workspace identifiers: 

az ml workspace list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Machine Learning workspace identifiers: 

Name                           ResourceGroup
------------------------       ------------------------------
cc-ml-project5-workspace       cloud-shell-storage-westeurope
cc-ml-production-workspace     cloud-shell-storage-westeurope

06 Run ml compute list command (Windows/macOS/Linux) with custom output filters to list the name of each compute instance provisioned for the selected Azure Machine Learning workspace: 

az ml compute list
	--resource-group cloud-shell-storage-westeurope
	--workspace-name cc-ml-project5-workspace
	--output table
	--query "[].{Name:name}"

07 The command output should return the requested compute instance identifiers (names): 

Name
----------------------
project5-ml-instance01
project5-ml-instance02
project5-ml-instance03

08 Run ml compute show command (Windows/macOS/Linux) with the name of the Azure Machine Learning compute instance that you want to examine as the identifier parameter, to determine the type of the managed identity (i.e., system-assigned and/or user-assigned) configured for the selected compute instance: 

az ml compute show
	--name project5-ml-instance01
	--workspace-name cc-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--query '{"IdentityType":identity.type}'

09 The command output should return the identity type used by the selected resource: 

{
	"IdentityType": "none"
}

If the ml compute show command output returns null or "none" for the "IdentityType" attribute, as shown in the example above, the selected Azure Machine Learning compute instance is not using a system-assigned and/or user-assigned managed identity to authenticate to other Azure cloud services.

Remediation / Resolution

To ensure that your Azure Machine Learning compute instances are configured to use managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Managed Identities blade available at https://portal.azure.com/#browse/Microsoft.ManagedIdentity%2FuserAssignedIdentities.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Choose Create and perform the following actions to create a new user-assigned managed identity for your Azure resource:

  1. For Basics, choose the correct subscription and resource group, provide a unique name for the new managed identity, then select the Azure region where your Machine Learning compute instance is deployed. Choose Next to continue the setup process.
  2. For Tags, use the Name and Value fields to create tags that will help organize the identity of the identity. Choose Review + create to validate the identity setup.
  3. For Review + create, review the resource configuration details, then choose Create to create your new user-assigned managed identity.

05 Once the new managed identity is available, choose Go to resource, select Access control (IAM) from the identity navigation panel, choose Add, select Add role assigment, and perform the following actions to grant least privilege access:

  1. For Role, select the Job function roles tab, and choose the appropriate, non-privileged role that you want to attach. Choose Next to continue the assignment process.
  2. For Members, select Managed identity next to Assign access to, choose Select members next to Members, and select the new user-assigned managed identity created in step no. 4. Choose Next to continue.
  3. For Review + assign, review the role assignment information, then choose Review + assign to complete the assigment process.

06 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

07 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

08 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.

09 Click on the name (link) of the Machine Learning workspace that you want to configure.

10 In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.

11 In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab to list the compute instances provisioned for the selected Azure Machine Learning workspace.

12 Click on the name (link) of the compute instance that you want to configure.

13 Select the Details tab, click on the Edit button (pencil icon) available in the Managed identity section, and perform one of the following actions to enable the system-assigned or user-assigned managed identity for the selected Machine Learning compute instance:

  1. Switch on the Assign a managed identity button and select System assigned for Identity type. Choose Update to apply the changes. Configuring a managed identity will perform a restart on the compute instance. The selected instance is now registered with Microsoft Entra ID, eliminating the need to store credentials in your code. Once the feature is enabled, all necessary permissions can be granted via Azure RBAC.
  2. Switch on the Assign a managed identity button, select User-assigned for Identity type, choose the appropriate Azure subscription from the Subscription dropdown list, and select the name of the user-assigned managed identity created earlier in the Remediation process. Choose Update to apply the changes. Updating a managed identity will perform a restart on the compute instance.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to configure as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription: 

az ml workspace list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Machine Learning workspace identifiers: 

Name                           ResourceGroup
------------------------       ------------------------------
tm-ml-project5-workspace       cloud-shell-storage-westeurope
tm-ml-production-workspace     cloud-shell-storage-westeurope

06 Run ml compute update command (Windows/macOS/Linux) with the name of the Azure Machine Learning compute instance that you want to configure as the identifier parameter, to enable the system-assigned managed identity for the selected compute instance: 

az ml compute update
	--name project5-ml-instance01
	--workspace-name cc-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--identity-type SystemAssigned

07 Once the assignment process is completed, the command output should return the information available for the updated compute instance: 

{
	"created_on": "2025-10-02T12:30:43.855643+0000",
	"enable_node_public_ip": false,
	"enable_os_patching": false,
	"enable_root_access": true,
	"enable_sso": true,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/cc-ml-project5-workspace/computes/project5-ml-instance01",
	"identity": {
		"principal_id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"tenant_id": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"type": "system_assigned"
	},
	"last_operation": {
		"operation_name": "Create",
		"operation_status": "Succeeded",
		"operation_time": "2025-10-02T12:30:51.837Z",
		"operation_trigger": "User"
	},
	"location": "westeurope",
	"name": "project5-ml-instance01",
	"network_settings": {
		"private_ip_address": "10.0.0.4"
	},
	"os_image_metadata": {
		"current_image_version": "25.07.12",
		"is_latest_os_image_version": true,
		"latest_image_version": "25.07.12"
	},
	"provisioning_state": "Succeeded",
	"release_quota_on_stop": false,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"services": [
		{
			"display_name": "Jupyter",
			"endpoint_uri": "https://project5-ml-instance01.westeurope.instances.azureml.ms/tree/"
		},
		{
			"display_name": "Jupyter Lab",
			"endpoint_uri": "https://project5-ml-instance01.westeurope.instances.azureml.ms/lab"
		}
	],
	"size": "Standard_DS3_v2",
	"ssh_public_access_enabled": false,
	"ssh_settings": {
		"admin_username": "azureuser",
		"ssh_port": "50000"
	},
	"state": "Running",
	"type": "computeinstance"
}

08 Run identity create command (OSX/Linux/UNIX) to create a new user-assigned managed identity for your Azure Machine Learning compute instance: 

az identity create
	--name cc-project5-ml-user-identity
	--resource-group cloud-shell-storage-westeurope
	--location westeurope

09 The command output should return the information available for the new user-assigned managed identity: 

{
	"clientId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-ml-user-identity",
	"location": "westeurope",
	"name": "cc-project5-ml-user-identity",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": null,
	"tags": {},
	"tenantId": "1234abcd-1234-abcd-1234-1234abcd1234",
	"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}

10 Run role assignment create command (OSX/Linux/UNIX) to add a new role assigment that follows the Principle of Least Privilege (POLP) to your new user-assigned managed identity. Use the --role parameter to specify the name of the non-privileged role that you want to assign. Use the --assignee parameter to specify the ID of the principal for your new user-assigned managed identity (i.e., "principalId" value): 

az role assignment create
	--assignee "abcd1234-abcd-1234-abcd-1234abcd1234"
	--role Reader
	--scope "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234"

11 Once the assignment process is completed, the command output should return the information available for the new role assignment: 

{
	"condition": null,
	"conditionVersion": null,
	"createdBy": null,
	"createdOn": "2025-07-30T12:33:24.315860+00:00",
	"delegatedManagedIdentityResourceId": null,
	"description": null,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-1234abcd1234",
	"name": "1234abcd-1234-abcd-1234-1234abcd1234",
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"principalType": "ServicePrincipal",
	"roleDefinitionId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
	"scope": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234",
	"type": "Microsoft.Authorization/roleAssignments",
	"updatedBy": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"updatedOn": "2025-07-29T12:00:00.629870+00:00"
}

12 Run ml compute update command (Windows/macOS/Linux) to associate the new user-assigned managed identity with your Azure Machine Learning compute instance: 

az ml compute update
	--name project5-ml-instance01
	--workspace-name cc-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--identity-type UserAssigned
	--user-assigned-identities "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-ml-user-identity"

13 The command output should return the information available for the updated compute instance: 

{
	"created_on": "2025-10-02T12:30:43.855643+0000",
	"enable_node_public_ip": false,
	"enable_os_patching": false,
	"enable_root_access": true,
	"enable_sso": true,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/cc-ml-project5-workspace/computes/project5-ml-instance01",
	"identity": {
		"type": "user_assigned",
		"user_assigned_identities": [
			{
				"client_id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
				"principal_id": "1234abcd-1234-abcd-1234-abcd1234abcd",
				"resource_id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-ml-user-identity"
			}
		]
	},
	"last_operation": {
		"operation_name": "Create",
		"operation_status": "Succeeded",
		"operation_time": "2025-10-02T12:30:51.837Z",
		"operation_trigger": "User"
	},
	"location": "westeurope",
	"name": "project5-ml-instance01",
	"network_settings": {
		"private_ip_address": "10.0.0.4"
	},
	"os_image_metadata": {
		"current_image_version": "25.07.12",
		"is_latest_os_image_version": true,
		"latest_image_version": "25.07.12"
	},
	"provisioning_state": "Succeeded",
	"release_quota_on_stop": false,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"services": [
		{
			"display_name": "Jupyter",
			"endpoint_uri": "https://project5-ml-instance01.westeurope.instances.azureml.ms/tree/"
		},
		{
			"display_name": "Jupyter Lab",
			"endpoint_uri": "https://project5-ml-instance01.westeurope.instances.azureml.ms/lab"
		}
	],
	"size": "Standard_DS3_v2",
	"ssh_public_access_enabled": false,
	"ssh_settings": {
		"admin_username": "azureuser",
		"ssh_port": "50000"
	},
	"state": "Running",
	"type": "computeinstance"
}

References

Publication date Oct 13, 2025

Related MachineLearning rules