Supporting Managed Identity based authentication flows in Azure Load Testing

At Microsoft, we prioritize security above anything else. As part of the Secure Future Initiative (SFI), one of the key guidelines from an identity and access security perspective is to replace secrets, credentials, certificates, and keys with more secure authentication, such as managed identities for Azure resources. With managed identities (MIs), credentials are fully managed, and they can’t be accidentally leaked.

As you move towards using managed identities, our job at Azure Load Testing is to ensure that you can seamlessly run load tests on flows using MI based authentication. Introducing the support for MI based authentication scenarios in Azure Load Testing.

Managed identity based authentication is typically used in communication between services. The target Azure resource authenticates using a managed identity that has access to do the specific operation on the resource. A common practice to run load tests in flows requiring authentication is to bypass authentication or to hardcode the access tokens. However, this is not the best practice. It is a less secure approach, and you can’t get a true sense of the performance either.

Running load tests in this kind of scenario require the load generating agent (like an Azure Virtual Machine) to have the managed identity assigned so that the authentication request is successful. With Azure Load Testing, you can simply select the managed identity that you intend to use and your test script, with the authentication flow included, runs seamlessly. Let’s see this in action through a sample scenario.

Load test scenario

Let’s take the scenario of getting the details of an Azure Load Testing resource through a GET API call. In this case, we will authenticate using a managed identity. Running a load test for this scenario can be done in these steps:

1. Create a load test for the test scenario
2. Grant the required RBAC permissions to the managed identity being used
3. Configure the test in Azure Load Testing and run it

Creating the test script

Let’s use Apache JMeter to create a load test script for this scenario. For this scenario to work, we need to first fetch a Microsoft Entra token using the managed identity and then use the access token in the GET API request. We first make a HTTP REST call to the Azure Instance Metadata Service (IMDS) endpoint to fetch the access token, extract it using a JSON extractor and save the token in a property using a JSR223 PostProcessor.

This is how your JMeter script would look like for this scenario.

Detailed guidance on setting up this test script is available here.

Grant permissions to the managed identity

To run this test script in Azure Load Testing, you can use either a system-assigned identity or a user-assigned managed identity.

If you intend to use a system-assigned identity, enable it on the Azure Load Testing resource from which you want to run the load test. Then, provide the required RBAC permission for this identity on the target resource for the GET API call.

If you want to use a user-assigned identity, you can select the identity that you want to use and assign it to the Azure Load Testing resource.

Configuring and running the test in Azure Load Testing

To configure a test to use a managed identity for authentication, you just need to select the identity that you want to use. The rest of the steps to create a test do not change.

On the ‘Test plan’ tab of the test creation flow, in the ‘Managed Identity for authentication scenarios’ section, select the required managed identity. If your test scenario requires multiple authentication calls using different managed identities, you can select user-assigned identity and select the multiple identities needed.

When you create and run this test, the results dashboard will look the same as that of any other load test in Azure Load Testing. You will be able to see the performance metrics for the authentication API call and the GET API call on the resource separately.

In this sample scenario, we used the JMeter and a HTTP call to the IMDS endpoint for authentication. You can also use Locust framework and any other method of authentication using a managed identity to create the test script.

In this blogpost, we saw how Azure Load Testing can help you set up and run load tests for scenarios involving authentication using a managed identity. Do try out this capability and let us know your feedback. You can learn more about this feature here.

Have questions or feedback? Drop a comment below or share your feedback with us in the Azure Load Testing community!