Adding a User Assigned Managed Identity to the Web App Identities using the Azure REST API

David Downing 701 Reputation points
2022-11-14T17:30:22.74+00:00

I'm trying to add a User Assigned Managed Identity to an existing Web APP using the REST Api documented here: https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/update

Details below. Any information regarding what I'm doing wrong is greatly appreciated.

Using the following for the body, I get the error below the body.

{
"identity": {
"type": "SystemAssigned, UserAssigned",
"tenantId": "<tenant id>",
"principalId": "<principal id>",
"userAssignedIdentities": {
"/subscriptions/<subscription id>/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestUserAssignedIdentity": {}
}
}
}

Error
{
"Code": "ServiceUnavailable",
"Message": "Unable to retrieve identity information from Managed Identity resource provider. Please try again later.",
"Target": null,
"Details": [
{
"Message": "Unable to retrieve identity information from Managed Identity resource provider. Please try again later."
},
{
"Code": "ServiceUnavailable"
},
{
"ErrorEntity": {
"ExtendedCode": "04600",
"MessageTemplate": "Unable to retrieve identity information from Managed Identity resource provider. Please try again later.",
"Parameters": [],
"Code": "ServiceUnavailable",
"Message": "Unable to retrieve identity information from Managed Identity resource provider. Please try again later."
}
}
],
"Innererror": null
}

Using the following for the body I get the error below the body:

{
"identity": {
"type": "SystemAssigned, UserAssigned",
"tenantId": "<tenant id>",
"principalId": "<principal id>",
"userAssignedIdentities": {
"/subscriptions/<subscription id>/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestUserAssignedIdentity": {
"principalId": "<principal id>",
"clientId": "<client id>"
}
}
}
}

Error
{
"error": {
"code": "InvalidIdentityValues",
"message": "Invalid value for the identities '/subscriptions/a747cb6a-0362-4e03-9e90-36e2c05cf90c/resourceGroups/ManageXSSORG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestUserAssignedIdentity'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property."
}
}

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,361 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,614 questions
{count} votes

1 answer

Sort by: Most helpful
  1. David Downing 701 Reputation points
    2022-11-16T20:35:44.587+00:00

    After removing the user assigned identity and all role assignments and identity references. Creating a new user assigned managed identity, the following seems to work:

    PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2022-03-01

    {
    "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managed identity name}": {}
    }
    }
    }

    One thing to note; after deleting the user assigned managed identity, the role assignments for the resource were removed, however the WebApp identity reference remained.

    1 person found this answer helpful.