How to authenticate system assigned manage identity of APIM to App service with AAD protected ?

Question

How to authenticate system assigned manage identity of APIM to App service with AAD protected ?

Bhargav Pasarla 120

I have one App service protected with AAD. There is .net core web api hosted inside this app service.

User's image

I have APIM with System assigned manage identity-

User's image

App service is being hosted at APIM and when I test that i get 401 error -

User's image

I need to configure managed identity of APIM to backend app service so that I can successfully call it.

JananiRamesh-MSFT 29,266 Reputation points

2023-08-31T09:26:37.78+00:00

Hi Bhargav Pasarla Just a follow up to see if you are still facing the issue did the above-mentioned steps helped you in resolving the error?

Please let me know if you have any further queries.
Bhargav Pasarla 120 Reputation points

2023-09-01T11:48:33.08+00:00

@JananiRamesh-MSFT

Thanks for following up!!

I have followed the same steps mentioned by you.

But still I'm unable to access.
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-09-04T13:31:41.6433333+00:00

@Bhargav Pasarla I think there may be a step missing

Just to re-summarise: You want to use the MSI for APIM to auth with an App Service backend (client calls into APIM use some other auth scheme).
So basically you want APIM to relay the client request to the App Service backend using it's own identity (the MSI)

Along with the other steps mentioned above you need to tell APIM this is what you want to do - to do this you need the MSI Policy as described here
https://learn.microsoft.com/en-us/azure/api-management/authentication-managed-identity-policy
This acquires the correct token and adds it as a bearer header to the request from APIM to the backend. This means that there's a token for App service to evaluate.
JananiRamesh-MSFT 29,266 Reputation points

2023-09-08T15:03:21.74+00:00

@Bhargav Pasarla did you try adding the managed identity policy to the API's? Please let us know if you have further query or issue remains.
Bhargav Pasarla 120 Reputation points

2023-09-10T15:30:46.04+00:00

Hi @JananiRamesh-MSFT I have used the managed identity policy but it is not working.

I have hardcoded the policy for sending client credential request and getting to token before sending a request to the backend api. It is successful.

But I couldn't do the Managed Identity policy.
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-09-11T08:14:43.97+00:00

Hi @Bhargav Pasarla are you able to provide more detail about what is not working with the managed identity policy ? You can use the "trace" facility in APIM Az portal interface which will return more detail on each policy executed. In this scenario (APIM calls App Service with token representing APIM MSI) then the policy is required

1 answer

Your answer

JananiRamesh-MSFT 29,266 Reputation points

2023-08-31T09:26:37.78+00:00

Hi Bhargav Pasarla Just a follow up to see if you are still facing the issue did the above-mentioned steps helped you in resolving the error?

Please let me know if you have any further queries.
Bhargav Pasarla 120 Reputation points

2023-09-01T11:48:33.08+00:00

@JananiRamesh-MSFT

Thanks for following up!!

I have followed the same steps mentioned by you.

But still I'm unable to access.
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-09-04T13:31:41.6433333+00:00

@Bhargav Pasarla I think there may be a step missing

Just to re-summarise: You want to use the MSI for APIM to auth with an App Service backend (client calls into APIM use some other auth scheme).
So basically you want APIM to relay the client request to the App Service backend using it's own identity (the MSI)

Along with the other steps mentioned above you need to tell APIM this is what you want to do - to do this you need the MSI Policy as described here
https://learn.microsoft.com/en-us/azure/api-management/authentication-managed-identity-policy
This acquires the correct token and adds it as a bearer header to the request from APIM to the backend. This means that there's a token for App service to evaluate.
JananiRamesh-MSFT 29,266 Reputation points

2023-09-08T15:03:21.74+00:00

@Bhargav Pasarla did you try adding the managed identity policy to the API's? Please let us know if you have further query or issue remains.
Bhargav Pasarla 120 Reputation points

2023-09-10T15:30:46.04+00:00

Hi @JananiRamesh-MSFT I have used the managed identity policy but it is not working.

I have hardcoded the policy for sending client credential request and getting to token before sending a request to the backend api. It is successful.

But I couldn't do the Managed Identity policy.
Ben Gimblett 4,560 Reputation points Microsoft Employee

2023-09-11T08:14:43.97+00:00

Hi @Bhargav Pasarla are you able to provide more detail about what is not working with the managed identity policy ? You can use the "trace" facility in APIM Az portal interface which will return more detail on each policy executed. In this scenario (APIM calls App Service with token representing APIM MSI) then the policy is required

Answer 1

Hi Bhargav Pasarla Thanks for reaching out. Please confirm if you have configured all the steps mentioned below.

Enable system-assigned managed identity for your APIM instance. You can do this by going to the "Identity" blade of your APIM instance in the Azure portal and turning on the "System assigned" option.

Grant the managed identity of your APIM instance access to your AAD-protected App Service. You can do this by adding the managed identity of your APIM instance as a "Contributor" or "Owner" to the App Service's access control (IAM) list.

To configure Azure RBAC access:

In the left menu, select Access control (IAM).
On the Access control (IAM) page, select Add role assignment.
On the Role tab, select the appropriate role under privileged administrator role.
On the Members tab, select Managed identity > + Select members.
On the Select managed identity page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select Select.
Select Review + assign. In your App Service, enable AAD authentication by going to the "Authentication / Authorization" blade and turning on the "App Service Authentication" option. Choose the authentication provider. Reference:https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity#supported-scenarios-using-system-assigned-identity
API in APIM should be updated with policy authentication-managed-identity. https://learn.microsoft.com/en-us/azure/api-management/authentication-managed-identity-policy <authentication-managed-identity resource="AD_application_id"/>

With these steps, your App Service should be able to authenticate with AAD using the system-assigned managed identity of your APIM instance.

Let me know even after this if you're facing this error.

Share via

How to authenticate system assigned manage identity of APIM to App service with AAD protected ?

1 answer

Your answer