This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 73%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
I have gone through multiple online resources, and I am not able to get my API Management Service Consumption tier to authenticate with the backend Azure Function using a Managed Identity for the API Management Service.
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
@Jonathan Lewis Thanks for reaching out. Please refer this below thread which addresses your query https://learn.microsoft.com/en-us/answers/questions/950198/secure-communication-between-azure-api-management
do let me know incase of further queries, I would be happy to assist you.
Janani,
I reviewed the post you provided. But, I am not sure if that is the issue. I do not see anywhere in the documentation or tutorials where I should need to use PowerShell. Otherwise, I have followed all those steps.
As far as I read your queries, you're wondering how you can authenticate API Management instance's managed identity (system assigned) against Azure Functions, which work as backend services, right?
I imagine that...
<policies>
<inbound>
<base />
<authentication-managed-identity resource="AD_application_id"
output-token-variable-name="msi-access-token"
ignore-error="false" />
<set-header name="Authorization"
exists-action="override">
<value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
If my assumption is correct, please check the following points.
AD_application_id above) to authentication-managed-identity policy in API Management?
Aki,
For some reason the moderator cut off part of my question. I have moved back to my APIM Developer tier instance and it is still not working. What I have done is:
I am not sure what else I should be doing. What I find interesting is that when I test my API from my APIM instance I get a 403 Forbidden error instead of the 401 Unauthorized error which my Function App's Authentication provider is configured to return. I am not sure if that means anything.
What am I missing?
Is there some prerequisite which is not mentioned in the documentation?
Hello Jonathan,
It is quite interesting that function app returned not 401 but 403... If different HTTP method(s) are anticipated, HTTP 406 should be returned.
I'm not sure your configuration of Easy Auth, but could you please check again permission scope you assigned to the function app? Basically user.read should work.
If you face the same issue, could you please assign app role to managed identity? https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Can anyone want to explain why my very specific, detailed, and accurate response to Mr. Nishikawa was removed? This is a very real issue that is preventing me from completing my infrastructure for the product I am working on.
I read through the Code of Conduct. There was nothing even close to violating that code. I also received no email explaining why it was removed. I also see no link or other means to contest the removal or to ask for an explanation. Would someone like to explain?
It is quite foolish to remove post and not tell the poster why. How could I possibly make a better post if I have no idea why my post was removed? Seems foolish to me but I am open to hearing why it is a good practice. Anyone?
Aki,
Until I know why my previous post was deleted let me just ask you a basic question.
In order to try and resolve this issue I have setup multiple APIMS instances in different Resource Groups. In one of my APIMS instances I do not get a 500 error. I only get that error in the Development tier instance. But, in the Consumption tier instance I do get a valid token from the authentication-managed-identity policy. However, the Azure Function returns the 403 Unauthorized response.
What RBAC role does the APIMS need to run aka execute an Azure Function? I have given my APIMS managed identity Reader, Contributor, and Monitoring Reader roles for the Azure Function I want to execute. Is there another role the APIMS managed identity should have?
Regards,
Jonathan