Share via

MIP SDK and managed identities

Alexander P 41 Reputation points
2025-06-20T17:39:08.8566667+00:00

I want to get a token that can decrypt an AIP protected file, by using the MIP SDK.

This is working with certificate credentials.

My idea is to use a managed identiy to get the token.

My problem is, that I didn't find a way to configure the AIP Azure application to get a token that is accepted by AIP.

This is what I've tried:

I've created a federated credential for my Azure app with API permissions to Azure Rights Management.

The Federated credential scenario was set to "Managed Identity" and the managed identity was set to the application identity that wants to get the token.

When I run my code I get the following error message:

Microsoft.InformationProtection.Exceptions.AccessDeniedException: The service didn't accept the auth token

Any help would be appreciated.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
560 questions
Accepted answer
  1. Chandra Boorla 14,665 Reputation points Microsoft External Staff Moderator
    2025-06-27T01:31:55.7+00:00

    @Alexander P

    Apologies for the delay in response.

    Thanks for your detailed explanation, this is a great question and highlights a common integration challenge with the MIP SDK and Azure Information Protection (AIP) when moving toward managed identity and federated credentials.

    What’s happening

    The error Microsoft.InformationProtection.Exceptions.AccessDeniedException: The service didn't accept the auth token indicates that the token obtained via the managed identity is not accepted by the Azure Rights Management (RMS/AIP) backend. This is expected behavior as of now because:

    • The RMS service requires the exact appId of a registered Azure AD app that has been explicitly configured for MIP usage.
    • Managed identities use workload identity federation, but AIP does not currently support federated tokens, it expects tokens obtained via client credentials using a certificate or client secret.
    • RMS enforces a strict validation of the app ID, token audience, and associated permissions, and doesn't recognize the managed identity's appId.

    What works today

    For now, the officially supported and reliable way to authenticate with MIP SDK for decrypting AIP-protected content is:

    • Use an Azure AD App Registration (not a managed identity).
    • Authenticate using a client certificate or secret.
    • Ensure your app is granted the correct API permissions, e.g., Azure Rights Management (Delegated User) or Content.SuperUser.

    Workaround with managed identity

    If your goal is to avoid storing certificates in code, you can still:

    • Let your managed identity access Azure Key Vault to securely fetch the certificate.
    • Use that certificate to authenticate as the AIP-registered app (not the managed identity itself).
    • Use the resulting token with the MIP SDK.

    This maintains cloud-native security hygiene while complying with RMS/AIP token validation requirements.

    I hope this information helps. Please do let us know if you have any further queries.

    Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

    Thank you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.