Generate Access Token via Managed Identity

Question

Generate Access Token via Managed Identity

Rohit 256

Hello,

I am following this query : https://stackoverflow.com/questions/74017863/adf-web-activity-get-access-token-with-post-api-using-system-assigned-managed-id

Can someone help me generate an Access token just based on Managed identity and no usage of Service principal

Anonymous

2023-10-31T07:19:37.63+00:00

@Rohit

Thanks for using Microsoft Q&A

https://stackoverflow.com/questions/74017863/adf-web-activity-get-access-token-with-post-api-using-system-assigned-managed-id " The solution provided in this post is describing the approach to generate access token using system assigned managed identity.

Kindly let us know what issue you are facing while trying this approach.

kindly provide some more details on your ask if possible.
Nandan Hegde 36,716 Reputation points MVP Volunteer Moderator

2023-10-31T07:38:10.9+00:00

hey @Anonymous , the link shared does use SP as seen below

wherein body needs a client id and secret.

So do you mean that the value needs to be copied as is? We might need to test that out
Anonymous

2023-11-02T08:31:15.92+00:00

@Rohit

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
John Knutson 0 Reputation points

2023-11-02T14:23:01.53+00:00

Hello @Anonymous , I am having this same issue.

I am following the documentation for the OAuth2 Client Credentials grant flow documentation to retrieve an access token using an Azure Data Factory Web Activity, but I cannot determine how to call the API using a System Managed Identity for authentication.

Is there a supported auth flow for retrieving an access token with a System Managed Identity via Azure Data Factory?
Anonymous

2023-11-03T07:26:22.6933333+00:00
@R-5499

In order to get the authorization token it has to be using service principal, Not Managed identity.

The Managed Identity Authentication eliminates the necessity of generating the Access token for authentication.

STEP 1

You will have to grab the identity of the system assigned ADF or create a user assigned identity.

Add this identity to the resource that you are accessing. For instance if you are accessing the Storage Account from ADF

You can mange the access in the IAM of the Storage account / any service and ADF Identity with Appropriate access.

In the above case, reprofactory is the adf instance at my end.

STEP2 :

You will use managed Identity if you are accessing the resource through the ADF Identity

Alternatively, if you are using the user assigned identity, you will have configure the credential

You could refer this Video here for more information : https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Option 2 :

If you want to generate the OAUTH token. You will have issue the request in the below format :

Copy

POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity

Here the Client ID and Client Secret service principal.

Here the Client ID and Client Secret service principal.

Hope this helps. if you have further queries, please do let us know.
Anonymous

2023-11-06T06:37:42.4433333+00:00

@Rohit

just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
John Knutson 0 Reputation points

2023-11-06T14:32:45.2733333+00:00

I was able to successfully call my API using the MSI for authentication. I did not need to request a token at all, so I removed that step and used the Managed System Identity when calling my API directly.

1 answer

Your answer

Anonymous

2023-10-31T07:19:37.63+00:00

@Rohit

Thanks for using Microsoft Q&A

https://stackoverflow.com/questions/74017863/adf-web-activity-get-access-token-with-post-api-using-system-assigned-managed-id " The solution provided in this post is describing the approach to generate access token using system assigned managed identity.

Kindly let us know what issue you are facing while trying this approach.

kindly provide some more details on your ask if possible.
Nandan Hegde 36,716 Reputation points MVP Volunteer Moderator

2023-10-31T07:38:10.9+00:00

hey @Anonymous , the link shared does use SP as seen below

wherein body needs a client id and secret.

So do you mean that the value needs to be copied as is? We might need to test that out
Anonymous

2023-11-02T08:31:15.92+00:00

@Rohit

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
John Knutson 0 Reputation points

2023-11-02T14:23:01.53+00:00

Hello @Anonymous , I am having this same issue.

I am following the documentation for the OAuth2 Client Credentials grant flow documentation to retrieve an access token using an Azure Data Factory Web Activity, but I cannot determine how to call the API using a System Managed Identity for authentication.

Is there a supported auth flow for retrieving an access token with a System Managed Identity via Azure Data Factory?
Anonymous

2023-11-03T07:26:22.6933333+00:00

@R-5499

In order to get the authorization token it has to be using service principal, Not Managed identity.

The Managed Identity Authentication eliminates the necessity of generating the Access token for authentication.

STEP 1

You will have to grab the identity of the system assigned ADF or create a user assigned identity.

Add this identity to the resource that you are accessing. For instance if you are accessing the Storage Account from ADF

You can mange the access in the IAM of the Storage account / any service and ADF Identity with Appropriate access.

In the above case, reprofactory is the adf instance at my end.

STEP2 :

You will use managed Identity if you are accessing the resource through the ADF Identity

Alternatively, if you are using the user assigned identity, you will have configure the credential

You could refer this Video here for more information : https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Option 2 :

If you want to generate the OAUTH token. You will have issue the request in the below format :

Copy

POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity

Here the Client ID and Client Secret service principal.

Here the Client ID and Client Secret service principal.

Hope this helps. if you have further queries, please do let us know.
Anonymous

2023-11-06T06:37:42.4433333+00:00

@Rohit

just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
John Knutson 0 Reputation points

2023-11-06T14:32:45.2733333+00:00

I was able to successfully call my API using the MSI for authentication. I did not need to request a token at all, so I removed that step and used the Managed System Identity when calling my API directly.

Answer 1

There's a bit hacky method to actually get the token for a managed identity in ADF. In order to do that, you need to use either an external HTTP request mirror service or make an internal one (which is relatively easy using, say, Logic Apps or Azure Functions). Here's a working example I just tested:

User's image

The external HTTP request mirror I used (disclaimer: don't do this in production!) is https://apichallenges.herokuapp.com/mirror/request

The result I got is:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz****lHbW55RlBraGMzaE91UjIybXZTd******I6IjlHbW55RlBraG***uTG83WSJ9.eyJhdWQiOiJodHR

which you can use for your nefarious needs.

Share via

Generate Access Token via Managed Identity

1 answer

Your answer