Managed Identities with API Management Service Consumption Tier

Jonathan Lewis 20 Reputation points
2024-04-08T18:51:29.66+00:00

I have gone through multiple online resources, and I am not able to get my API Management Service Consumption tier to authenticate with the backend Azure Function using a Managed Identity for the API Management Service.

  1. I have enabled Authentication in the Azure Function.
  2. I have enabled Managed Identities in the API Management Service.
  3. I set the
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,206 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Aki Nishikawa 1,825 Reputation points Microsoft Employee
    2024-04-15T05:07:35.27+00:00

    As far as I read your queries, you're wondering how you can authenticate API Management instance's managed identity (system assigned) against Azure Functions, which work as backend services, right?

    I imagine that...

    1. you've already enabled Azure Functions built-in authentication capability (so-called "EasyAuth"). Authentication and authorization - Azure App Service | Microsoft Learn
    2. you've already checked the following document to configure authentication using managed identity and configured policies in inbound section. Azure API Management policy reference - authentication-managed-identity | Microsoft Learn
    <policies>
        <inbound>
            <base />
            <authentication-managed-identity resource="AD_application_id"
                                                output-token-variable-name="msi-access-token"
                                                ignore-error="false" />
            <set-header name="Authorization"
                        exists-action="override">
                <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
            </set-header>
        </inbound>
        <backend>
            <base />
        </backend>
        <outbound>
            <base />
        </outbound>
        <on-error>
            <base />
        </on-error>
    </policies>
    

    If my assumption is correct, please check the following points.

    1. Have you populated Application ID (AD_application_id above) to authentication-managed-identity policy in API Management?
    2. Have you configured access control in Entra ID? (If no configuration, all requests with access token should be reached Functions.)

  2. JananiRamesh-MSFT 28,716 Reputation points
    2024-04-17T09:17:12.9833333+00:00

    @Jonathan Lewis Thanks for reaching out. Please refer this below thread which addresses your query https://learn.microsoft.com/en-us/answers/questions/950198/secure-communication-between-azure-api-management

    do let me know incase of further queries, I would be happy to assist you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.