How to authenticate web requests with a managed identity in Azure Load testing?
Sample:
We have an Azure Web App with App Service provides built-in authentication (Easy Auth) configured with Microsoft Entra.
Other web apps connect to this app using managed identity.
But if we wan't to load test this Web App. How do we authorize the requests in azure load testing.
We tried with the client credentials flow, but this results in a token without subject claim.
Resulting in the following error in the Web App Authentication Troubleshooter and a 403 if we execute the request with the token.
| | Principal (isUser: False) failed single tenancy check for single tenant AAD app. | 14 | | | An authenticated principal (userhash: REDACTED) for an API call failed authorization. | 14 | | | User principal does not have a known stable ID claim! | 12 | | | Access was denied for 'REDACTED' because this principal does not match any of the principal policies. | 12 |
None of these error messages are documented anywhere. This could also help.
Request to fetch the token
curl https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token -d \ "client_id={application id of app registration in entra id}&\ client_secret={redacted}&\ grant_type=client_credentials&\ scope={Application ID URI from entra}/.default"
Also tried with extra scopes: profile openid email
Part of the JWT Token:
{
"aud": "api://{Application ID URI from entra}",
"iss": "https://sts.windows.net/{tenantId}/",
"iat": 1711008577,
"nbf": 1711008577,
"exp": 1711012477,
"aio": "REDACTED",
"appid": "{clientId}",
"appidacr": "1",
"idp": "https://sts.windows.net/{tenantId}/",
"rh": "REDACTED",
"tid": "{tenantId}",
"uti": "REDACTED",
"ver": "1.0"
}
Any help would be appreciated ?
Can we use the https://learn.microsoft.com/en-us/java/api/overview/azure/identity-readme?view=azure-java-stable and load this in our Azure load testing and connect a managed identity to the azure loadtesting resource?
Do we need to use a different oauth flow, do we need other scopes?