In Azure load testig, how to authenticatie requests with a managed identity.

Pregress 0 Reputation points
2024-03-21T08:52:19.1933333+00:00

How to authenticate web requests with a managed identity in Azure Load testing?

Sample:

We have an Azure Web App with App Service provides built-in authentication (Easy Auth) configured with Microsoft Entra.

Other web apps connect to this app using managed identity.

But if we wan't to load test this Web App. How do we authorize the requests in azure load testing.

We tried with the client credentials flow, but this results in a token without subject claim.
Resulting in the following error in the Web App Authentication Troubleshooter and a 403 if we execute the request with the token.

| | Principal (isUser: False) failed single tenancy check for single tenant AAD app. | 14 | | | An authenticated principal (userhash: REDACTED) for an API call failed authorization. | 14 | | | User principal does not have a known stable ID claim! | 12 | | | Access was denied for 'REDACTED' because this principal does not match any of the principal policies. | 12 |

None of these error messages are documented anywhere. This could also help.

Request to fetch the token

curl https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token -d \ "client_id={application id of app registration in entra id}&\ client_secret={redacted}&\ grant_type=client_credentials&\ scope={Application ID URI from entra}/.default"

Also tried with extra scopes: profile openid email

Part of the JWT Token:

{
  "aud": "api://{Application ID URI from entra}",
  "iss": "https://sts.windows.net/{tenantId}/",
  "iat": 1711008577,
  "nbf": 1711008577,
  "exp": 1711012477,
  "aio": "REDACTED",
  "appid": "{clientId}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenantId}/",
  "rh": "REDACTED",
  "tid": "{tenantId}",
  "uti": "REDACTED",
  "ver": "1.0"
}

Any help would be appreciated ?
Can we use the https://learn.microsoft.com/en-us/java/api/overview/azure/identity-readme?view=azure-java-stable and load this in our Azure load testing and connect a managed identity to the azure loadtesting resource?

Do we need to use a different oauth flow, do we need other scopes?

Azure Load Testing
Azure Load Testing
An Azure service that enables developers and testers to generate insights on how to improve the performance, scalability, and capacity usage of their application
38 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,304 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2024-03-27T00:23:05.5433333+00:00

    Sounds like the issue is on your load-tested WebApp due to expecting a non-present claim. Azure Load testing supports secrets such as access tokens. You could obtain an access token using a test-only low-privileged account in tandem with a non-interactive flow such as the ROPC flow. Depending on your functional and security requirements other options could be available.

    Let me know if you need additional or more detailed guidance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.