Azure Managed Identity Security: Attack Paths, IMDS Abuse, and How to Harden Your Configuration

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Managed identities are the right way to handle Azure authentication from Azure resources -- they eliminate stored secrets and rotate credentials automatically. The security risk is not in the credential storage, it is in the scope: managed identities are frequently granted broad permissions (Contributor or Owner on subscriptions) because it is convenient, and because the token acquisition from IMDS requires no authentication beyond being on the VM. An attacker who can execute code on a VM -- via a web shell, SSRF vulnerability, or compromised application -- can immediately access everything the managed identity can access. This guide covers the attack path and the hardening steps.
How Attackers Abuse Managed Identity Tokens
The IMDS token request is a simple HTTP GET from within the Azure resource: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H 'Metadata: true'. This returns a JSON object containing an access_token valid for 1 hour and a refresh_token that can be used to obtain new access tokens. The resource parameter specifies which Azure service the token is for -- common targets: Azure Resource Manager (management.azure.com), Azure Key Vault (vault.azure.net), Microsoft Graph (graph.microsoft.com), Azure Storage (storage.azure.com). An attacker with code execution on the VM runs this curl command (or equivalent Python/PowerShell), obtains a token, and uses it to: list all resources in the subscription (az resource list), access Key Vault secrets (az keyvault secret list), read Storage account data, or modify Azure resources if the managed identity has Contributor or above. Server-Side Request Forgery (SSRF) vulnerabilities in web applications are particularly dangerous on Azure VMs with managed identities -- the SSRF can be used to exfiltrate IMDS tokens without requiring OS-level code execution.
Enumerate Overprivileged Managed Identities
Audit all managed identity role assignments for excessive permissions. PowerShell / Azure CLI: Get-AzRoleAssignment | Where-Object { $.ObjectType -eq 'ServicePrincipal' } | Where-Object { $.RoleDefinitionName -in ('Owner', 'Contributor', 'User Access Administrator') } | Select-Object DisplayName, RoleDefinitionName, Scope. Review each result: is the managed identity justified in having Contributor on a subscription (rather than Contributor on a specific resource group)? Does a web application's managed identity need to write to Azure Resource Manager, or only read from a specific Storage account? Common overprivileged findings: App Service managed identities with Key Vault access set to subscription-wide instead of the specific Key Vault. VM managed identities assigned Contributor at the subscription level for a single-purpose automation task. Azure Functions with Reader access to all resources when they only need to read from specific tables. Use Microsoft Defender for Cloud's identity recommendations to surface managed identities with excessive permissions.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Apply Least Privilege to Managed Identity Role Assignments
Replace broad role assignments with narrow, scoped ones. Guiding principles: scope at the resource level, not the subscription level (assign Key Vault Secrets User on the specific Key Vault, not Contributor on the subscription). Use built-in roles with minimum permissions rather than Contributor: Storage Blob Data Reader instead of Storage Account Contributor, Key Vault Secrets User instead of Key Vault Contributor, Cosmos DB Account Reader instead of Contributor. For custom permissions: create custom RBAC roles that include only the specific actions required. Example: if the managed identity only needs to read blobs from one container, create a custom role with Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read on that specific container path. Remediate overprivileged assignments: remove the overprivileged role assignment and add the narrowly scoped one. Test the application or service after the change to confirm it still functions with the reduced permissions.
Restrict IMDS Access on Multi-Tenant VMs
On VMs that run workloads from multiple tenants or multiple trust levels (shared development environments, multi-application VMs), restrict access to the IMDS endpoint via local firewall rules. The IMDS endpoint 169.254.169.254 is accessible to all processes running on the VM by default. Use Windows Firewall or Linux iptables to restrict IMDS access to specific processes or users if you cannot isolate workloads to separate VMs. For VMs running containerized workloads: in Kubernetes (AKS), use pod identity or Workload Identity (Microsoft Entra Workload Identity) which assigns managed identities at the pod level rather than the node level -- this prevents a compromised pod from accessing the node-level managed identity. For VMs where all workloads are trusted: use IMDSv2 by enforcing that all IMDS requests include a session header (Azure IMDS API version 2019-08-01 and later supports session tokens) to prevent simple SSRF-based token theft -- IMDSv2 requires a PUT request to get a session token before making GET requests, which SSRF attacks typically cannot perform.
Detect Managed Identity Abuse via Audit Logs
Managed identity token usage appears in Azure Activity Logs and Microsoft Entra ID sign-in logs (under Managed Identity sign-ins). Suspicious patterns: a managed identity accessing resources it has never accessed before (new resource type in audit logs -- Key Vault access by a VM identity that previously only accessed Storage). Managed identity tokens used from IP addresses outside the Azure IP range (169.254.x.x is local; external IP address using a managed identity token indicates the token was exfiltrated). Unusually high volume of Key Vault secret reads from a managed identity. Lateral movement pattern: a sequence of Resource Manager list operations followed by new resource access (reconnaissance followed by exploitation). KQL in Sentinel: MicrosoftAzureActivity | where CategoryValue == 'Administrative' and Caller endswith '@managedidentity' and OperationNameValue contains 'secret' | project TimeGenerated, Caller, OperationNameValue, ResourceGroup, Resource. Alert on unusual Resource Manager API calls from managed identities -- specifically CreateOrUpdate, Delete, and roleAssignments/write from managed identities that do not normally perform these operations.
The bottom line
Managed identities eliminate credential storage risk but introduce token theft risk via IMDS access. The hardening is straightforward: scope every managed identity to the minimum required Azure resources (not subscription-level Contributor), audit overprivileged assignments quarterly, enforce IMDSv2 for SSRF protection, and monitor audit logs for unusual managed identity API calls. The IMDS-based token theft attack is fast and requires only code execution on the resource -- least-privilege scoping is the primary mitigation.
Frequently asked questions
Can managed identity tokens be revoked if they are stolen?
Managed identity access tokens are short-lived (1 hour validity) and the refresh token is tied to the managed identity's service principal, not to a specific user. To revoke access after suspected token theft: remove the managed identity's role assignments (this prevents the token from being used to access those resources), disable the managed identity on the Azure resource, or rotate the managed identity by deleting and recreating the User-Assigned identity or toggling the System-Assigned identity off and back on (which creates a new service principal with a new identity). After 1 hour, the stolen access token expires -- the attacker's persistent access depends on whether they also stole the refresh token and whether the managed identity's role assignments remain intact.
What is the difference between User-Assigned and System-Assigned managed identity from a security perspective?
System-Assigned: the identity is created with the resource and deleted when the resource is deleted. Each resource has its own unique identity. If the resource is compromised, only that identity's permissions are exposed. User-Assigned: the identity exists independently and can be assigned to multiple resources. If a User-Assigned identity is assigned to 10 VMs and one VM is compromised, the attacker gains all permissions of that shared identity. User-Assigned identities also persist after the resource using them is deleted (until explicitly removed), creating orphaned identities with active permissions. From a security perspective: prefer System-Assigned identities for single-resource use cases, and use User-Assigned only when identity sharing is genuinely required (e.g., a fleet of identical VMs all needing the same access).
Does SSRF on a web application on an Azure VM expose managed identity tokens?
Yes, in most cases. SSRF (Server-Side Request Forgery) allows an attacker to make HTTP requests from the vulnerable server to arbitrary internal URLs, including 169.254.169.254. A GET request to the IMDS token endpoint with the Metadata: true header returns a valid token for the assigned managed identity. The IMDSv2 requirement for a session token (requiring a PUT request first) mitigates this for SSRF vulnerabilities that cannot perform non-GET requests. Enforce IMDSv2 via Azure Policy to ensure all resources require the PUT-based session token flow.
Can managed identities access on-premises resources?
Managed identity tokens are Azure AD tokens and work for any service that accepts Azure AD authentication -- including on-premises resources accessed via Hybrid Identity (Azure Arc, on-premises API Management proxied through Azure, or custom applications that accept Azure AD tokens). If your on-premises environment has services configured to trust Azure AD tokens, a compromised managed identity can potentially access those services. Audit which on-premises resources accept Azure AD tokens and verify that managed identities do not have unintended access to them.
How do I audit which managed identities have overprivileged role assignments across my Azure tenant?
Use Azure Resource Graph to query role assignments across subscriptions: resources | where type == 'microsoft.authorization/roleassignments' | where properties.principalType == 'ServicePrincipal' | join kind=leftouter (resources | where type == 'microsoft.managedidentity/userassignedidentities') on id. Filter for assignments with Owner, Contributor, or User Access Administrator roles at scope levels broader than a single resource group. Additionally, use Microsoft Defender for Cloud's 'Overprivileged identities' recommendation (under Identity > Overprivileged identities) which automatically flags managed identities with unused permissions. For each flagged managed identity, check what permissions it actually uses in its Azure Monitor activity logs and reduce the role assignment to match actual usage.
How do attackers abuse managed identities through SSRF vulnerabilities and what controls prevent this?
Server-Side Request Forgery (SSRF) in an application hosted on an Azure resource with a managed identity allows an attacker to send requests from the application server to the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254. A successful SSRF to http://169.254.169.254/metadata/identity/oauth2/token returns an access token for the managed identity's associated roles. The attacker can then use that token to call Azure Resource Manager APIs or Microsoft Graph with the managed identity's permissions -- all without touching any credentials. Prevention at the network layer: for containers and VMs, block outbound access to 169.254.254.0/24 at the network security group level (except from the application's own process, which is technically difficult to enforce at the NSG layer). Prevention at the application layer: apply SSRF prevention in the application code -- validate that server-side HTTP requests are not directed to private IP ranges (RFC 1918, link-local 169.254.0.0/16). Apply least-privilege role assignments to the managed identity so SSRF exploitation yields only the minimum necessary access rather than subscription-wide control. For Azure App Service, use VNet integration with network restrictions to limit egress from the application.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
