Question:
A software company is developing a multi-tenant SaaS application that will be hosted on Azure Container Apps. Each tenant will have their own Azure Storage account for storing data. The application needs to access these storage accounts on behalf of the tenants. The company wants to manage the identities separately from the Azure Container Apps and wants to have one or more pre-configured entities for each tenant. Which type of managed identity would fit this scenario?
Answer:
This scenario is best suited for User-assigned managed identities. User-assigned managed identities are standalone Azure resources that can be assigned to one or more instances of an Azure service. In this case, each tenant can have a User-assigned managed identity that is granted access to their Azure Storage account. The Azure Container App can then use these identities to authenticate to the storage accounts on behalf of the tenants. When a tenant leaves, the User-assigned managed identity can be removed from the Azure Container App and deleted.