Despite the long title, sharing this information out to the broader community as I had this specific need for a customer scenario and found it in a reply on this StackOverflow thread. I developed a full ARM template and tweaked the initial solution to better suit my customer’s needs. You can either download the reference ARM template (no warranties, provided as-is) or implement the pieces that you need.
Scenario
As of the time of writing this, Azure has released into preview the Managed Service Identity (MSI) functionality into preview. In essence this allows specific Azure resources (ex. app service, VM, etc.) to be granted a service principal in Azure AD which can then be granted permissions in role based access control (RBAC) type fashion. For a customer they needed to deploy an Azure Function and associated Key Vault. The MSI for the Azure Function needed to have read (get) access to the secrets within the key vault. While this could be configured post-ARM template deployment it is easier and more reliable to do so at deployment time.
Solution
The reference ARM template can be downloaded in full from the following location.
In the “Microsoft.Web/sites” resource be sure to enabled the MSI by including the following element at the root of the resource:
"identity": {
"type": "SystemAssigned"
}
In order to add the access policy to the key vault, add the following elements as children of the “properties” element:
note: sites_name is the name of a parameter for my given ARM template. Either hardcode this value or supply a value to this parameter.
"tenantId": "[subscription().tenantid]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantid]",
"objectId": "[reference(concat(resourceId('Microsoft.Web/sites', parameters('sites_name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]",
"permissions": {
"keys": [],
"secrets": [
"get"
],
"certificates": []
}
}
]
The highlighted portion references the MSI (principalId) of the resource that is being looked up (the Azure Function).
Lastly be sure to establish a dependsOn relationship from the key vault to the Azure Function with the following:
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('sites_name'))]"
]
Conclusion
This post was more of a mental reminder to myself about how to reference an Azure MSI within an ARM template, but if you have need of this same solution hopefully you found it useful. Feel free to share and questions or feedback in the comments.
-Frog Out
The Frog Pond of Technology 
[…] Using MSI in Key Vault Arm Templates: https://briantjackett.com/2018/03/27/how-to-reference-azure-managed-service-identity-msi-during-arm-… […]
LikeLike
Thanks! I was already dreading spending the next 3 days looking for a solution for this.
LikeLiked by 1 person
Glad you found this useful. If you have any feedback after implementing it please share back.
LikeLike
Hey Brian, How can i use dependson over a managed Identity operation? I am deploying an app service and enabling MSI on the app service and creating a keyvault and reading the identity of the app service and assigning it rights over the keyvault but the problem is if i delete everything and deploy the template from scratch the “assigning access to the managed Identity” part fails with “cant find identities. but when i deploy the template again it works, in the first run the identities are created so it does not fail in the second run. Could you help?
I hope I explained it properly
LikeLike
Muhammad, did you try out the ARM template linked from this blog post? It sounds like that sample is implementing the same configuration steps that you described. Let me know if I missed something. https://github.com/BrianTJackett/Blog-Samples/blob/master/ARM-MI-Template/azure-function-with-MSI-to-key-vault-template.json
LikeLike