Use App Service Key Vault references with User-Assigned Identities

If you follow my blog, it should not be a surprise that I am using Managed Identity where possible, to avoid the need for passwords and secrets.  In case these secrets are inevitable, we should store them in Azure Key Vault.  Within App Service, you have the ability to make your Key Vault secrets available as application settings or environment variables, by leveraging Key Vault references.  Under the hood, the App Service must authenticate itself against the Key Vault by using Managed Identity.  By default, this is done through a System-Assigned identity.  This blog explains how you can achieve this with User-Assigned identities.


This section explains all the steps that are needed to set this up with Bicep.

Create the User-Assigned identity

  • Define a User-Assigned Identity in a simple way
//User-Assigned Identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
   name: identityName
   location: location

Create the App Service

  • Create the App Service.  Two important aspects are highlighted:
    • The identity object links the previously created identity to the App Service
    • The keyVaultReferenceIdentity defines which identity must be used to fetch Key Vault references
//App Service
resource appService 'Microsoft.Web/sites@2021-01-01' = {
  name: appServiceName
  location: location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${}' : {}
  properties: {
    serverFarmId: appServicePlanId
    siteConfig: {
      alwaysOn: (sku == 'F1' || sku == 'D1') ? null : true
      healthCheckPath: healthCheckPath
      httpLoggingEnabled: true
      vnetRouteAllEnabled: true
    httpsOnly: true
  • The identity is now linked to the App Service

Grant the required access rights on the Key Vault

  • The identity should get the Key Vault Secrets User role assigned on the Key Vault
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2018-09-01-preview' = {
  scope: keyVault
  name: guid(,, 'Key Vault Secrets User')
  properties: {
    roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6'
  • The result can be seen in the Azure Portal:

  • Thanks to these configurations, you can now successfully refer to Key Vault secrets from within your App Service using the Key Vault reference syntax.


Key Vault references are extremely useful, because they don’t require you to update the code base.  Next to that, my advise is to use User-Assigned identities instead of System-Assigned, because they can represent a logical application instead of an individual service that might get deleted one day.  This approach combines the two into a secure solution.

I hope you enjoyed this one!



Your Azure Coach is specialized in organizing Azure trainings that are infused with real-life experience. All our coaches are active consultants, who are very passionate and who love to share their Azure expertise with you.