Function App error : No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.

Question

I have followed this tutorial

https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/federated-identity-credentials?branch=main&tabs=dotnet#more-resources

And added the user assigned managed identity as federated identity credential to the app registration, which has access to another azure application. The function app is throwing this error.

[Information] ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ api://AzureADTokenExchange/.default ] ParentRequestId: Exception: Azure.Identity.AuthenticationFailedException (0x80131500): ManagedIdentityCredential authentication failed: Service request failed.

ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)

Content:
{"statusCode":400,"message":"No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId."

Here is the code:

 var assertion = new ClientAssertionCredential(_tenantId, _applicationId, async (token) => await GetManagedIdentityToken(clientId, audience));
                return (await assertion.GetTokenAsync(new TokenRequestContext(scopes: new[] { resourceUrl }))).Token;

 static async Task

Answer 1

Hi @Chaitra Shivanand Kulkarni (INFOSYS LIMITED) , the error message "No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId" indicates that the managed identity you are using does not have the required permissions to access the specified resource.

To resolve this issue, you need to ensure that the managed identity has the necessary permissions to access the resource. Here are the steps to follow:

1. Check if the managed identity is correctly assigned to the function app. You can do this by going to the "Identity" section of the function app in the Azure portal and verifying that the managed identity is enabled.
2. Check if the managed identity has the necessary permissions to access the resource. You can do this by going to the "Access control (IAM)" section of the resource in the Azure portal and verifying that the managed identity has the required role assignment.
3. If the managed identity does not have the required role assignment, you can add it by clicking on the "Add role assignment" button and selecting the appropriate role.
4. If the managed identity is correctly assigned and has the necessary role assignment, then you need to ensure that the resource URL and audience are correct. Double-check that the resource URL and audience are correct and match the resource you are trying to access.
5. If you are still getting the same error after following these steps, you can try using the Azure CLI to check the role assignments for the managed identity. You can use the following command: az role assignment list --assignee-object-id managed-identity-object-id Replace managed-identity-object-id with the object ID of the managed identity. This command will list all the role assignments for the managed identity. Check if the managed identity has the required role assignment for the resource you are trying to access.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Answer 2

Issue resolved

Answer 3

We are able to resolve this by create a Managed Identity Azure resource and adding it as a User Assigned managed identity in the respective webapp.