Azure App Service is able to use Managed Identity(no app roles set) to call another AAD protected App service, Why?

michaelLL 96 Reputation points
2021-02-28T15:50:12.407+00:00

Structure Step Up

App service A, with app service plan A(Free Tier), with System Assigned Identity On
App service B, with app service plan B(Free Tier), with AAD authentication and authorization, with service principle B
That's it, no more further setups, no app roles, no token audience.

Then I made a very simple console app using .Net 5.

    var azureServiceTokenProvider = new AzureServiceTokenProvider();

    var token = azureServiceTokenProvider.GetAccessTokenAsync("SPN B's client Id", "Tenant Id").GetAwaiter().GetResult();

    Console.WriteLine(token);

    using (var hc = new HttpClient())
    {
        hc.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);

        var res = hc.GetAsync("App service A url").GetAwaiter().GetResult();

        var body = res.Content.ReadAsStringAsync().GetAwaiter().GetResult();

        Console.WriteLine(body);
    }

Then I dropped this console app to App service A's Kudu console and run it. Surprisingly it was able to use the managed identity token to access app service B.

I am very confused, the managed identity should not have any accesses. The returned JWT token:

{ "aud": "SPN B's client id", "iss": "issuer", "iat": 1614463676, "nbf": 1614463676, "exp": 1614550376, "aio": "E2ZgYHAIulMkupMv5ku6dYrERh0LAA==", "appid": "Managed identity client id", "appidacr": "2", "idp": "issuer", "oid": "Managed identity object id", "rh": "0.ASgA43WCTWxU70i_QFayzgGduttb1iTw-FBIn9cvBo6st-IoAAA.", "sub": "Managed identity object id", "tid": "tenant id", "uti": "--aa0ubSrEqW4yeOzeYBAA", "ver": "1.0" }

Could someone please help me to understand this situation. Is it because of the free tier app service plan or other default setups?

Thank you a lot in advance!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,174 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,139 questions
0 comments No comments
{count} votes

Accepted answer
  1. michaelLL 96 Reputation points
    2021-03-04T13:47:53.823+00:00

    Found the answer:

    The app service B service principle default "user assignment required" was set to false and support account type was My organization only. Any valid service principle in the same tenant should be able to get the access token for it. Managed identity is a valid service principle so it can get access token.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 35,621 Reputation points Microsoft Employee
    2021-03-03T20:10:42.223+00:00

    You can check the following script to see if somehow an app role got assigned:

    # Replace with your managed identity object ID  
    $miObjectID = "17707c90-dab4-483d-a57f-65e91ac3d94f"  
    # Microsoft Graph; the ID is the same in all tenants  
    $appId = "00000003-0000-0000-c000-000000000000"  
      
    Connect-AzureAD  
      
    $app = Get-AzureADServicePrincipal -Filter "AppId eq '$appId'"  
      
    $appRoles = Get-AzureADServiceAppRoleAssignment -ObjectId $app.ObjectId | where PrincipalId -eq $miObjectID  
      
    foreach ($appRole in $appRoles) {  
        $role = $app.AppRoles | where Id -eq $appRole.Id | Select-Object -First 1  
        write-host $role.Value  
    }  
    

    If you go to the system-assigned managed Identity and select Identity > Permissions > Azure role assignments, you can see if there are any Azure roles assigned to that Identity. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-managed-identity

    73916-image.png

    0 comments No comments