Entra ID Managed Identities and Duplicate Names

For those of us that work with relational databases, we are all (hopefully) familar with the concept of a primary key. For those of you who aren’t DB pros, a primary key is a record(s) that uniquely identifies a row in a table. For example, in the following table, the EmpID column uniquely identifies the EmpName.

In this case, EmpID is what we call a surrogate key, meaning that it does not come from any actual data, but is just used to identity the record. Also, in this case, even though EmpName is currently unique (no names repeat), it does not have to be.

Managed Identities

If you haven’t worked with managed identities in Microsoft Entra (né Azure Active Directory), they are one of my favorite features in Microsoft’s cloud-based identity platform. A managed identity can represent a user or system created resource, and that resource can then be assigned privileges just like a regular user. This allows you to have very granular permissions, along with not having to use and secure a password for authentication. You can create identities for all kinds of resources, but some common examples include virtual machines and automation accounts.

So why am I writing about managed identities and data modeling concepts in the same blog post? The answer lies in the above screen shot. If were creating a basic table to hold this information, based on what we know, the design would be:

This means it is possible to have duplicate identity names, as shown below.

In this case, we have two VMs named DC002 (they are in separate resource groups, so this is allowed). Since both of these VMs have system-assigned managed identities, they are both named DC002 (the user has no control over what a system-managed identity is named, as it’s the name of the resource). While in most cases this won’t cause any problems, there may be some Azure resources where you won’t be able to assign privileges to multiple managed identities with the same name. There really isn’t a super great workaround for this, other than that if you create a user assigned managed identity, which allows you to use a custom name.

If you create a user-assigned managed identity, you can then assign it to the resource you need to authenticate with.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?