Use Managed Identities for Azure Cache for Redis Servers

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to examine.

06 In the resource navigation panel, under Settings, select Identity, and perform the following checks to determine if the selected cache server is using managed identities:

1. Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the selected Azure Cache for Redis server is not using a system-assigned managed identity.
2. Select the User assigned tab and check for any user-assigned managed identities associated with the selected resource. If there are no user identities listed on this page, instead the following message is displayed: No results, the selected Azure Cache for Redis server is not using user-assigned managed identities.

07 Repeat steps no. 5 and 6 for each Azure Cache for Redis server deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Cache for Redis server available in the selected subscription:

az redis list
	--query '[*].id'

05 The command output should return the requested cache server IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-webapp-cache-server"
]

06 Run redis show command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to examine as the identifier parameter, to determine the type of the managed identity (i.e. system-assigned and/or user-assigned) configured for the selected cache server:

az redis show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--query '{"IdentityType":identity.type}'

07 The command output should return the identity type used by the selected cache server:

{
	"IdentityType": null
}

08 Repeat step no. 6 and 7 for each Azure Cache for Redis server available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Managed Identities blade available at https://portal.azure.com/#browse/Microsoft.ManagedIdentity%2FuserAssignedIdentities.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Choose Create and perform the following actions to create a new user-assigned managed identity:

1. For Basics, choose the correct subscription and resource group, provide a unique name for the new managed identity, then select the Azure region where your cache servers are deployed. Choose Next to continue the setup process.
2. For Tags, use the Name and Value fields to create tags that will help organize the identity of the identity. Choose Review + create to validate the identity setup.
3. For Review + create, review the resource configuration details, then choose Create to create your new user-assigned managed identity.

05 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

06 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

07 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

08 Click on the name (link) of the Azure Cache for Redis server that you want to configure.

09 In the resource navigation panel, under Settings, select Identity, and perform the following actions to enable system-assigned and user-assigned managed identities for the selected Azure Cache for Redis server:

1. Choose the System assigned tab and select On under Status to enable the system-assigned managed identity for the selected cache server. Choose Save and select Yes to confirm the changes. The selected Azure Cache for Redis server is now registered with Microsoft Entra ID, eliminating the need to store credentials in your code. Once the feature is enabled, all necessary permissions can be granted via Azure RBAC.
2. Select the User assigned tab, choose + Add, select the appropriate Azure subscription from the Select a subscription dropdown list, and choose the user-assigned managed identity created earlier in the Remediation process, from the User assigned managed identities list. Choose Add to apply the configuration changes.

10 Repeat steps no. 8 and 9 for each Azure Cache for Redis server that you want to configure, deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Cache for Redis server available in the selected subscription:

az redis list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested cache server names:

Name                        ResourceGroup
-----------------------   ------------------------------
cc-project5-redis-cache   cloud-shell-storage-westeurope
cc-webapp-cache-server    cloud-shell-storage-westeurope

06 Run redis identity assign command (OSX/Linux/UNIX) to enable the system-assigned managed identity for the specified Azure Cache for Redis server:

az redis identity assign
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--mi-system-assigned

07 Once the assignment process is completed, the command output should return the information available for the managed identity:

{
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
	"type": "SystemAssigned",
	"userAssignedIdentities": null
}

08 Run identity create command (OSX/Linux/UNIX) to create a new user-assigned managed identity for the specified Azure Cache for Redis server:

az identity create
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--query 'id'

09 The command output should return the full ID of the new user-assigned managed identity:

"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-redis-cache"

10 Run redis identity assign command (OSX/Linux/UNIX) to assign your new user-assigned managed identity to the specified Azure Cache for Redis server:

az redis identity assign
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--mi-user-assigned "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-redis-cache"

11 Once the assignment process is completed, the command output should return the information available for the managed identity:

{
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"tenantId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
	"type": "SystemAssigned, UserAssigned",
	"userAssignedIdentities": {
		"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cc-project5-redis-cache": {
			"clientId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
			"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234"
		}
	}
}

12 Repeat steps no. 6 - 11 for each Azure Cache for Redis server that you want to configure, available within the current subscription.

13 Repeat steps no. 3 – 12 for each Azure subscription created in your Microsoft Azure cloud account.