Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
982 questions
Use Managed Identity RBAC to Auth call between APIs in Same Tenant
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 74%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Stephen Mallin
26
Reputation points
I'm new to Azure, and trying to use AAD Managed Identity to authenticate and authorize an API call from one API in our tenant to another in the same tenant. I understand how to create the managed identity, how to assign that identity to the calling app, but I am struggling to understand what IAM role (RBAC) I should assign to the identity inside my API that is being called. I know once I select the right role, I can select the manged identity as the user that needs the role, but what role will function as authN/authZ for the API?
Here are the steps as I understand it.
- Create Managed Identity (Got it)
- Add managed Identity as User-Assigned Identity to API application inside my tenant which is going to call the other API [API A] (No Problem)
- Add IAM Role to API being called [API B] (This is the part I'm struggling with)
- Add Managed Identity to RBAC Role created in 3 (This seems straightforward)
All the RBAC descriptions I have found to this point have to do with managing access to data... (blob storage, etc) but I want to use this to authenticate an API which is in an Azure App Service. What kind of role needs to be added to API B so that an API with the managed Identity assigned can hit the endpoints? Thanks!
Azure Role-based access control
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,208 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2022-12-07T02:06:12.25+00:00 Hi @Stephen Mallin ,
Could you please clarify which guide you are following for this? I want to make sure I am following your workflow. Is it the assign managed identity to an app role guide or a different one?
-
Stephen Mallin 26 Reputation points
2022-12-12T14:15:15.677+00:00 I am following the example shown by Varun Karandikar who is a program manager at Microsoft. This is the link I found the video on:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
But eventually I will need to put this into terraform, so I will need to know the name of the role. Thanks for any assistance you can provide.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 47%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)
Fabrizi, David 0 Reputation points2023-04-18T10:33:37.25+00:00 Hi Stephen, did you ever resolve this issue? Did you find the correct RBAC role to assign?
Sign in to comment
Sign in to answer