Coding Stephan

Bitbash 2025: A Deep Dive into Managed Identity

Bitbash 2025 was an awesome conference, where I did a talk on managed identities. Here are the cliffnotes for that talk, and why I even do public speaking.

Bitbash 2025

Managed Identities Deep Dive

Bitbash 2025 - Presentation start

Managed Identities Deep Dive cliffnotes for those would could not attend:

  1. When you use managed identities you are actually just automatically discovering a token endpoint.
  2. The configuration is available in Environment variables
  3. In dotnet this is done by Azure Identity, which is actually open-source.
  4. You can fairly easily use managed identities in your development environment
  5. You can use managed identities in multi-tenant apps
  6. You can use managed identities to access your own API’s (if protected with Entra ID tokens)

Every Bitbash edition (two so far) had a theme, in 2025 it was Ghostbusters so I tried to theme my slides.

Azure Functions Token Proxy

If you use ManagedIdentityCredential or DefaultAzureCredential from Azure.Identity one of the “sources” is the CloudShell, which checks if it has an environment variable called MSI_ENDPOINT. And if it finds this variable and it is an URL, it will use it as a token endpoint.

Meaning it will use it to get tokens by sending a POST request to it with just a resource in its application/x-www-form-urlencoded body.

POST {MSI_ENDPOINT} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
metadata: true
User-Agent: azsdk-net-identity/1.13.2(.NET 9.0.1;Microsoft Windows 10.0.26100)
x-ms-client-request-id: ….
x-ms-return-client-request-id: true

resource=api%3A%2F%2Fcbbbe516-0b51-4501-…

Which should then respond with a JSON response that looks like:

{
    "access_token": "....",
    "refresh_token": "",
    "expires_in": 86397,
    "expires_on": 1737733631,
    "not_before": 1737647233,
    "resource": "https://management.azure.com",
    "token_type": "Bearer"
}

With this knowledge you should be able to create a single http Azure Function that accepts a POST and takes the resource from the body. If this Azure Function has a managed identity, you can use the same library to forward the token request to the actual managed identity implementation.

[Function("ProxyMsi")]
public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Function, "post", Route = "token-endpoint-proxy")] HttpRequestData req)
{
    try
    {
        var tokenCredential = new DefaultAzureCredential(); // or new ManagedIdentityCredential();
        // Actual implementation removed, figure this part out yourself.
        // It is in the body and you might 😉 be able to parse it with `System.Web.HttpUtility.ParseQueryString(data)`
        var resourceFromBody = "";
        // Append /.default
        if (!resourceFromBody.EndsWith("/.default"))
        {
            resourceFromBody += resourceFromBody.EndsWith("/") ? ".default" : "/.default";
        }
        _logger.LogInformation("Received resource: {Resource}", resourceFromBody);

        var tokenResult = await tokenCredential.GetTokenAsync(new TokenRequestContext(new[] { resourceFromBody }), req.FunctionContext.CancellationToken);
        // Again removed, read the text above to see what the response format is
        // actual token is in tokenResult.Token
        // lifetime is in tokenResult.ExpiresOn
        var tokenResponse = ...;
        var resp = req.CreateResponse();
        await resp.WriteAsJsonAsync(tokenResponse);
        return resp;
    } catch (Exception e)
    {
        _logger.LogError(e, "Error proxying msi request");
    }
    return req.CreateResponse(System.Net.HttpStatusCode.BadRequest);
}

Public speaking, why?

Bitbash 2025 - Application registration vs Enterprise apps

Why did you start with public speaking, is a question I get once in a while. Let me explain, I like to know how things really work. Eventually I figured out others also want to know how stuff works, but not everybody has the time or patience to figure these things out.

If I finally figured it out, why keep that knowledge for myself? I share content like this, at a conference the attendees probably selected my talk by just reading the title or description. They must be interested in this topic as well. It is an awesome feeling to be able to share knowledge with like minded people.

The biggest issue I have with public speaking is getting selected, it is not uncommon for conferences to have 4 to 10 times the submitted talks than the amount of spots they have in the planning. Months before a conference they invite everybody to submit their “call for papers”, a catchy title and a description of your talk. Then comes the waiting followed by either an acceptance or a denial mail. This is probably the moment I start with the slides for that talk, is anything changed since when I submitted? Does my demo still work? Is there a theme and do my slides need changes?

Most conferences hand out small gifts to all speakers, some pay for travel/stay. I do it to share knowledge, which I enjoy very much. Getting a cool Funko pop in the theme of the conference with a “speaker certificate” is a nice addition.

Bitbash 2025 - Speaker gifts

Conclusion

Share knowledge, enjoy doing that. And if you want to get started with public speaking, send me a message I might have some tips. Expect nothing, be surprised by the small gifts you might get.

People don’t submit talks about managed identities (we all want to get selected 😉)

Print additional stands for your speaker gifts, for your Ikea Skadis board.

Funko pops on Ikea Skadis board