Managed Identity preauth Application Proxy

Question

How to Configure Enterprise Application with Application Proxy to on-premise resource where only PreAuth account will be Managed Identity.

When adding users/groups I cannot select/find Managed Identity to give permission for PreAuth.

Basically,

Azure Function should use Managed Identity to PreAuth to Application Proxy and retrive over API some data from on-premis resource.

If that is not possible, what is recommended way?

Answer 1

Hi @Juraj Ban

Thank you for posting this in Microsoft Q&A.

I understand that you are facing issues while adding users/groups you cannot select/find Managed Identity to give permission for PreAuth.

To add the MSI (essentially a service principal) to the Users and groups of an enterprise application, it is different from adding a user/group, you need to leverage the azure ad app role.

Please follow the steps below.

1.Navigate to Microsoft Entra admin center in the portal -> App registrations -> search for your app name with the filter All applications -> click it -> App roles -> Create app role -> create the role like below -> Apply.

2.Use the PowerShell below

New-MgServicePrincipalAppRoleAssignment 
-ServicePrincipalId $serverServicePrincipalObjectId 
-PrincipalId $managedIdentityObjectId 
-ResourceId $serverServicePrincipalObjectId 
-AppRoleId $appRoleId

After doing the steps above, navigate to the Users and groups, you will find the MSI is added to it.

For more information: Assign a managed identity access to Enterprise application

Hope this helps. Do let us know if you any further queries. If you are encountering any issues, please post back by responding in the comments section

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.