karavar
commented
1 year ago There are two main limits to Azure AD that get impacted due to churn
- Azure AD object quota limit (more here) - each object counts towards the quota. If identities churn you run a risk of reaching your quota faster.
- Your deployments getting throttled due to throttling in Azure AD.
In general, we suggest moving towards a model where identities are pre-created and re-used as much as possible rather than churning them in the system.
realolap
The document states: "While using system-assigned managed identity is possible, when used at scale (for example, for all VMs in a subscription) it results in substantial number of identities created (and deleted) in Azure AD (Azure Active Directory). To avoid this churn of identities, it is recommended to use user-assigned managed identities, which can be created once and shared across multiple VMs."
But it does not explain, nor does any other document I can find, why this "churn" of system identities would be a problem? There is a built-in policy for creating system assigned identities for the AMA agent at scale (/providers/Microsoft.Authorization/policyDefinitions/17b3de92-f710-4cf4-aa55-0e7859f1ed7b). The reccomended solution of having an umi pr sub pr region seems more complicated and more reasoning should be provided in the documentation.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.