| title | Using credentials | ||
|---|---|---|---|
| titleSuffix | Azure Data Factory & Azure Synapse | ||
| description | Learn about using Azure credentials for Azure Data Factory. | ||
| author | nabhishek | ||
| ms.subservice | security | ||
| ms.topic | how-to | ||
| ms.date | 09/26/2024 | ||
| ms.author | abnarain | ||
| ms.custom |
|
[!INCLUDEappliesto-adf-asa-md]
Users must have the Managed Identity Operator (Azure RBAC) role or a custom role with Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action RBAC action to configure a user assigned managed identity as a credential. Additional RBAC is required to create and use credentials in Synapse. Learn more.
We are introducing Credentials which can contain user-assigned managed identities, service principals, and also lists the system-assigned managed identity that you can use in the linked services that support Microsoft Entra authentication. It helps you consolidate and manage all your Microsoft Entra ID-based credentials.
Below are the generic steps for using a user-assigned managed identity in the linked services for authentication.
-
If you do not have a user-assigned managed identity created in Azure, first create one in the Azure portal Managed Identities page.
-
Associate the user-assigned managed identity to the data factory instance using Azure portal, SDK, PowerShell, REST API. The screenshot below used Azure portal (data factory blade) to associate the user-assigned managed identity.
:::image type="content" source="media/credentials/uami-azure-portal.png" alt-text="Screenshot showing how to use Azure portal to associate a user-assigned managed identity.":::
-
Create a Credential in data factory user interface interactively. You can select the user-assigned managed identity associated with the data factory in Step 1.
:::image type="content" source="media/credentials/create-new-credential.png" alt-text="Screenshot showing the creation of new credentials.":::
:::image type="content" source="media/credentials/user-assigned-credential-configuration.png" alt-text="Screenshot showing the configuration of new credentials.":::
-
Create a new linked service and select User-assigned managed identity under authentication
:::image type="content" source="media/credentials/create-new-linked-service.png" alt-text="Screenshot showing the new linked service with user-assigned managed identity authentication.":::
:::image type="content" source="media/credentials/linked-service-credential-configuration.png" alt-text="Screenshot showing the new linked service configuration with User-Assigned Managed Identity and credentials selected.":::
-
If you do not have a user-assigned managed identity created in Azure, first create one in the Azure portal Managed Identities page.
-
Associate the user-assigned managed identity to the workspace using Azure portal, SDK, PowerShell, REST API. The screenshot below used Azure portal (Identity blade) to associate the user-assigned managed identity.
:::image type="content" source="media/credentials/synapse-uami-azure-portal.png" alt-text="Screenshot showing how to use Azure portal to associate a user-assigned managed identity.":::
-
Create a Credential in Synapse Studio interactively. You can select the user-assigned managed identity associated with the workspace in Step 1.
:::image type="content" source="media/credentials/synapse-create-new-credential.png" alt-text="Screenshot showing the creation of new credentials.":::
:::image type="content" source="media/credentials/user-assigned-credential-configuration.png" alt-text="Screenshot showing the configuration of new credentials.":::
-
Create a new linked service and select User-assigned managed identity under authentication
:::image type="content" source="media/credentials/synapse-create-new-linked-service.png" alt-text="Screenshot showing the new linked service with user-assigned managed identity authentication.":::
:::image type="content" source="media/credentials/linked-service-credential-configuration.png" alt-text="Screenshot showing the new linked service configuration with User-Assigned Managed Identity and credentials selected.":::
You can use the SDK, PowerShell, and REST APIs for the above actions. An example of creating a user-assigned managed identity and assigning it permissions to a resource with Bicep/ARM is available in this example. Linked services with user-assigned managed identity are currently not supported in Synapse Spark.
See the following topics that introduce when and how to use managed identity:
- Store credential in Azure Key Vault
- Copy data from/to Azure Data Lake Store using managed identities for Azure resources authentication
See Managed Identities for Azure Resources Overview for more background on managed identities for Azure resources, which data factory managed identity is based upon.