Message: The value 'SystemAssigned, UserAssigned' of parameter 'identity' is not allowed. Allowed values are: UserAssigned, None.

Question

Message: The value 'SystemAssigned, UserAssigned' of parameter 'identity' is not allowed. Allowed values are: UserAssigned, None.

Anthony Pirolli 20 Microsoft Employee

I am unable to enabled SystemAssigned Identity on my VMSS even though the API version I am using says this is an allowed parameter.

https://free.blessedness.top/en-us/azure/templates/microsoft.compute/2024-11-01/virtualmachinescalesets?pivots=deployment-language-bicep#virtualmachinescalesetidentity

Can I have some assistance on why this is the case?

The end goal is to deploy EntraID extension to login to our Linux type VMSS.

Anthony Pirolli 20 Reputation points Microsoft Employee

2025-08-11T17:06:04.5866667+00:00
Yes our bicep template is like this

var identity = IdentityType == 'SystemAssigned' || IdentityType == 'None' ? { type: IdentityType } : { type: IdentityType userAssignedIdentities: !empty(UserAssignedIdentities) ? UserAssignedIdentities : null }

If we are inputting SystemAssigned, or None then type is just set however if UserAssigned is in the IdentityType then it will set the userAssignedIdentities. I have no issues when IdentityType is 'UserAssigned' like this.
Anthony Pirolli 20 Reputation points Microsoft Employee

2025-08-11T17:10:45.4433333+00:00

Looking at further notice, it is a Flexible orchestration however on a one off basis I am able to enable System Assigned MI on the individual VMs. Is there anyway to do this automatically while keeping the VMSS in a flexible measure?
Durga Reshma Malthi 11,590 Reputation points Microsoft External Staff Moderator

2025-08-13T05:41:18.8233333+00:00

Hi Anthony Pirolli

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

Answer accepted by question author

3 additional answers

Your answer

Anthony Pirolli 20 Reputation points Microsoft Employee

2025-08-11T17:06:04.5866667+00:00

Yes our bicep template is like this

var identity = IdentityType == 'SystemAssigned' || IdentityType == 'None' ? { type: IdentityType } : { type: IdentityType userAssignedIdentities: !empty(UserAssignedIdentities) ? UserAssignedIdentities : null }

If we are inputting SystemAssigned, or None then type is just set however if UserAssigned is in the IdentityType then it will set the userAssignedIdentities. I have no issues when IdentityType is 'UserAssigned' like this.
Anthony Pirolli 20 Reputation points Microsoft Employee

2025-08-11T17:10:45.4433333+00:00

Looking at further notice, it is a Flexible orchestration however on a one off basis I am able to enable System Assigned MI on the individual VMs. Is there anyway to do this automatically while keeping the VMSS in a flexible measure?
Durga Reshma Malthi 11,590 Reputation points Microsoft External Staff Moderator

2025-08-13T05:41:18.8233333+00:00

Hi Anthony Pirolli

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

Answer 1

Hi Anthony Pirolli

If you are using a bicep template, ensure that the identity block must be structured correctly to support both identity types.

identity: {
  type: 'SystemAssigned, UserAssigned'
  userAssignedIdentities: {
    '/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>': {}
  }
}

And as per this GitHub document - https://github.com/Azure/bicep-registry-modules/issues/2671, it was mentioned that you cannot use a system-assigned identity with orchestrationMode: 'Flexible' but must use Uniform.

Additional References:

https://stackoverflow.com/questions/70165163/assigning-user-assigned-identity-to-azure-vmss-fails

Hope this helps!

Please Let me know if you have any queries.

Answer 2

Hi Anthony Pirolli

As per this GitHub document - https://github.com/Azure/bicep-registry-modules/issues/2671, it was mentioned that you cannot use a system-assigned identity with orchestrationMode: 'Flexible' but must use Uniform.

Flexible orchestration does not support System Assigned at the VMSS resource itself , the identity has to be enabled per VM instance.

Uniform orchestration - Identity is managed at the scale set level.
Flexible orchestration - Identity must be managed per VM instance.

But Bicep or ARM templates cannot assign System Assigned identity to individual VMSS instances during initial deployment in Flexible mode. You’ll need to use CLI, PowerShell, or REST API post-deployment.

However, you can try this bicep template - https://free.blessedness.top/en-us/azure/templates/microsoft.compute/virtualmachinescalesets?pivots=deployment-language-bicep, but ensure you might configure the identity.

resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2021-03-01' = {
  name: 'myVMSS'
  location: resourceGroup().location
  sku: {
    name: 'Standard_DS1_v2'
    tier: 'Standard'
    capacity: 2
  }
  properties: {
    virtualMachineProfile: {
      identity: {
        type: 'SystemAssigned'
      }
      // Other VMSS properties
    }
  }
}

Additional References:

https://free.blessedness.top/en-us/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities?pivots=qs-configure-portal-windows-vm

https://free.blessedness.top/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes

Hope this helps!

Please Let me know if you have any queries.

Answer 3

Anthony Pirolli 20 Microsoft Employee

Hello @Durga Reshma Malthi , I will have to give this a try. Thank you and I will let you know if this works!

Durga Reshma Malthi 11,590 Reputation points Microsoft External Staff Moderator

2025-08-14T04:43:35.49+00:00

Hi Anthony Pirolli

Sure, Please update us once you have tried the workaround

Answer 4

Anthony Pirolli 20 Microsoft Employee

Hello @Durga Reshma Malthi , this does not work as the API provided does not allow this to be a thing. At this point is just looks like it will have to be manually enabled. Definitely something that I think should be changed.

                        InnerError: 
                            Code: BadRequest
                            Message: Could not find member 'identity' on object of type 'VirtualMachineProfile'. Path 'properties.virtualMachineProfile.identity', line 1, position 1313.
                            Target: vmss.properties.virtualMachineProfile.identity

Durga Reshma Malthi 11,590 Reputation points Microsoft External Staff Moderator

2025-08-15T05:35:52.0466667+00:00

Hi Anthony Pirolli

I understand your concern regarding the limitations of enabling System Assigned Managed Identities (MIs) on individual VMs within a Flexible VM Scale Set (VMSS). As of now, the Azure API does not support enabling System Assigned MIs directly on VMs in a Flexible orchestration mode.

In Flexible orchestration mode, the API does not expose the identity property for the VirtualMachineProfile, which is why you are facing the error when trying to set it in your Bicep template.

As you mentioned, the only way to enable System Assigned MIs on individual VMs in a Flexible VMSS is to do it manually through the Azure portal or using Azure CLI/PowerShell commands after the VMs have been created.

Please Let me know if you have any queries.

Durga Reshma Malthi 11,590 Microsoft External Staff Moderator

Hi Anthony Pirolli

As we discussed in teams,

You can define a deployment script in Bicep that runs after the VMSS is deployed:

 resource enableIdentity 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'enableSystemAssignedMI'
  location: resourceGroup().location
  kind: 'AzureCLI'
  properties: {
    azCliVersion: '2.53.0'
    scriptContent: '''
      #!/bin/bash
      rg="${resourceGroupName}"
      vmss="${vmssName}"
      ids=$(az vmss list-instances --resource-group $rg --name $vmss --query "[].instanceId" -o tsv)
      for id in $ids; do
        az vmss vm update --resource-group $rg --vmss-name $vmss --instance-id $id --set identity.type="SystemAssigned"
      done
    '''
    arguments: ''
    environmentVariables: [
      {
        name: 'resourceGroupName'
        value: '<your-rg>'
      }
      {
        name: 'vmssName'
        value: '<your-vmss-name>'
      }
    ]
    cleanupPreference: 'OnSuccess'
    forceUpdateTag: 'v1'
  }
}

This runs as part of your Bicep deployment.

or else you need to use customData or CustomScriptExtension extensions for inside-VM tasks.

Hope this helps!

Please Let me know if you have any queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Share via

Message: The value 'SystemAssigned, UserAssigned' of parameter 'identity' is not allowed. Allowed values are: UserAssigned, None.

3 additional answers

Your answer