Secure communication between Azure API Management and functions using managed identity

Question

Hello Team,

I have performed a POC where i try to secure communication between Azure API Management and functions using managed identity.

1) APIM instance has a system “Managed Identity” configured.
2) Azure function has “Authentication” configured.
3) App registration has been created in Azure AD for the Azure Function and same has been configured in step 2.
4) API in APIM has been updated with policy authentication-managed-identity policy .

The POC itself was successful but the part that is unclear is how Azure Function restricts only the APIM Managed Identity to access the Azure Function.

Thank you

Answer 1

Hi @Devidasan Nirmala Thanks for reaching out. To be able to request a token for the APIM, the managed identity enabled on step 1 needs to be given permission to access that application created in 3rd step and have a role assigned. This is not something that can be done in the portal today. please follow this document to assign a managed identity to a role using powershell command https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell?WT.mc_id=AZ-MVP-5002438&tabs=azurepowershell.

this allows you to get access tokens from a specific resource within Azure Active Directory, allowing you to define which identity you require to request that token. By this way Azure Function will restricts only the APIM Managed Identity to access the Azure Function.

Please let me know incase of further queries, I would be happy to assist you.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.