Managed Identities with API Management Service Consumption Tier

Jonathan Lewis 20 Reputation points
2024-04-08T18:51:29.66+00:00

I have gone through multiple online resources, and I am not able to get my API Management Service Consumption tier to authenticate with the backend Azure Function using a Managed Identity for the API Management Service.

  1. I have enabled Authentication in the Azure Function.
  2. I have enabled Managed Identities in the API Management Service.
  3. I set the
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,759 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aki Nishikawa 405 Reputation points Microsoft Employee
    2024-04-15T05:07:35.27+00:00

    As far as I read your queries, you're wondering how you can authenticate API Management instance's managed identity (system assigned) against Azure Functions, which work as backend services, right?

    I imagine that...

    1. you've already enabled Azure Functions built-in authentication capability (so-called "EasyAuth"). Authentication and authorization - Azure App Service | Microsoft Learn
    2. you've already checked the following document to configure authentication using managed identity and configured policies in inbound section. Azure API Management policy reference - authentication-managed-identity | Microsoft Learn
    <policies>
    <inbound>
        <base />
        <authentication-managed-identity resource="AD_application_id"
                                            output-token-variable-name="msi-access-token"
                                            ignore-error="false" />
        <set-header name="Authorization"
                    exists-action="override">
            <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
        </set-header>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

    If my assumption is correct, please check the following points.

    1. Have you populated Application ID (AD_application_id above) to authentication-managed-identity policy in API Management?
    2. Have you configured access control in Entra ID? (If no configuration, all requests with access token should be reached Functions.)
  2. JananiRamesh-MSFT 21,246 Reputation points
    2024-04-17T09:17:12.9833333+00:00

    @Jonathan Lewis Thanks for reaching out. Please refer this below thread which addresses your query https://learn.microsoft.com/en-us/answers/questions/950198/secure-communication-between-azure-api-management

    do let me know incase of further queries, I would be happy to assist you.