As far as I read your queries, you're wondering how you can authenticate API Management instance's managed identity (system assigned) against Azure Functions, which work as backend services, right?
I imagine that...
- you've already enabled Azure Functions built-in authentication capability (so-called "EasyAuth"). Authentication and authorization - Azure App Service | Microsoft Learn
- you've already checked the following document to configure authentication using managed identity and configured policies in inbound section. Azure API Management policy reference - authentication-managed-identity | Microsoft Learn
<policies>
<inbound>
<base />
<authentication-managed-identity resource="AD_application_id"
output-token-variable-name="msi-access-token"
ignore-error="false" />
<set-header name="Authorization"
exists-action="override">
<value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
If my assumption is correct, please check the following points.
- Have you populated Application ID (
AD_application_id
above) toauthentication-managed-identity
policy in API Management? - Have you configured access control in Entra ID? (If no configuration, all requests with access token should be reached Functions.)