Share via

Why the portal will not allow additional 'User-assigned Managed Identities' to be added to Node Identity Reference?

Daniel-4204 205 Reputation points
2026-03-16T17:01:43.65+00:00

In my scenario, Azure Batch Pools currently share a single user assigned managed identity for their nodes. Each batch pool is associated with separate subnets because job's performed by the nodes are to different vnet resource environments across a network peering.

I would like to not share this user assigned managed identity between pools/nodes due to recommended regulations, audit/log trails for isolated environments instead of sharing a single user assigned managed identity.

Therefore, I have added a new user assigned managed identity to each pool. However, the option to add more than one user assigned managed identity is not possible in the Node Identity Reference for autostorage settings of the batch account.

So currently, the pools have 2 each. Being, the old user assigned managed identity, and each their respective new one.

Is this by design that there must only be 1 in this section used for the purpose of autostorage node identity reference?

According to the documentation, these user assigned managed identities must be added in both places: the pool, and the identity reference (see screenshot below). However, in the same documentation (See yellow arrow below), there is verbiage that suggests that the auto storage "one", is indeed only one allowed there.

This makes me think that if I am to configure the Batch Account as I described, I will likely need to maintain 3 user assigned managed identities.

1x: shared for autostorage and added to the identity reference and both pool identities.

2x: separate user assigned managed identities: 1 for each pool identity for nodes accessing designated resources such as seperate app configuratioins, keyvaults, etc, etc...

User's image

(https://learn.microsoft.com/en-us/troubleshoot/azure/hpc/batch/use-managed-identities-azure-batch-account-pool)

Azure Batch
Azure Batch

An Azure service that provides cloud-scale job scheduling and compute management.

0 comments
Answer accepted by question author
  1. Jilakara Hemalatha 11,430 Reputation points Microsoft External Staff Moderator
    2026-03-16T18:15:31.0433333+00:00

    Hello Daniel,

    Thank you for reaching out and for providing the detailed explanation of your scenario.

    From your description, I understand that you are attempting to assign separate user-assigned managed identities to different pools in order to maintain isolation across environments (for example, separate VNets and resource access). While doing so, you noticed that the Node Identity Reference for the AutoStorage configuration allows selecting only a single user-assigned managed identity, even though the documentation mentions that multiple identities can be defined.

    This behavior is expected and is by design in Azure Batch.

    The documentation you referenced states that multiple user-assigned managed identities can be defined at the pool identity level. This allows compute nodes in a pool to authenticate to different Azure resources (such as Key Vault, Storage, or App Configuration) using different identities when required.

    However, the Node Identity Reference used for AutoStorage authentication is configured at the Batch account level, and therefore it supports only one user-assigned managed identity. Since the AutoStorage account is associated with the Batch account itself rather than individual pools, the service requires a single identity that all nodes will use when accessing AutoStorage.

    As also noted in the documentation:

    “You can define more than one user-assigned managed identity in the pool identity. However, the one that's defined in the node identity reference must also be defined in the pool identity.”

    This means that:

    • A pool may contain multiple user-assigned managed identities.

    The identity used for Node Identity Reference (AutoStorage) must also be included in the pool identity.

    The Node Identity Reference itself supports only one identity, which is why the portal does not allow adding additional identities in that field.

    Given your architecture, the approach you described is the correct and recommended design:

    One shared user-assigned managed identity used for AutoStorage access and configured as the Node Identity Reference.

    Separate user-assigned managed identities per pool for accessing environment-specific resources such as Key Vault, Storage accounts, or other services.

    Reference: Configure managed identities in Batch pools

    Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity

    The Usage of Managed Identity in the Azure Batch Account and Azure Batch Pool

    Hope this helps! Please let me know if you have any queries.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.