Access Azure Sphere Public API with AAD managed identity

You can use this method to authenticate to any service that supports Azure Active Directory (AAD) authentication, without any credentials in your code. AAD managed identity handles the creation or renewal of service principals on your behalf. It is a service principal of a special type that may only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed.

System-assigned: Some Azure services allow you to enable a managed identity directly on a service instance. For example, an Azure App Service. When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

Prerequisites

• An Azure Sphere-based device with development features.
• Azure Sphere tenant.
• Set up a development environment for Azure Sphere.
• Azure Active Directory tenant (Tenant ID).
• Azure subscription.
• Add the Azure Sphere Public API Application ID to your Azure tenant.

The following section explains how to call the Azure Sphere Public API (PAPI) from an Azure Web App using managed identity.

Step 1: Enable the system-assigned identity in the resource

To enable the system-assigned identity in the resource and to find the Object ID for the project:

1. In the Azure portal, on the left navigation pane, click App Services.
2. Choose the required subscriptions from the dropdown, and select your app from the search results.
3. On the logic app menu, under Settings, select Identity.
4. Enable the System-assigned identity by setting the Status to On.
5. Click Save.
6. Copy the Object ID.

Step 2: Add the managed identity to the Azure Sphere tenant

Note

Ensure that you have the following before beginning this step:

• Azure Sphere Tenant: Run the command azsphere tenant show-selected using the Azure Sphere CLI.
• Azure Tenant ID: Find tenant ID through the Azure portal. Copy the Azure Active Directory tenant ID.

Azure Sphere treats the service principal as another user. To acquire a token using the service principal, first add the service principal user to the Azure Sphere tenant, and then assign a role to the user in an Azure Sphere tenant using the Azure Sphere CLI.

The user identity can be generated as <ObjectID>@<TenantID>.onmicrosoft.com.

In the following example we create a user using a combination of object ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and Azure AD tenant ID zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz in the Azure Sphere tenant ID tttttttt-tttt-tttt-tttt-tttttttttttt, and then add the Contributor role for this user.

1. Sign in with your Azure Sphere login using the Azure Sphere CLI:

   azsphere login
   

2. Select the required tenant:

   azsphere tenant select --tenant tttttttt-tttt-tttt-tttt-tttttttttttt
   

3. To create a service principal user to the Azure Sphere tenant:

   azsphere register-user --new-user  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz.onmicrosoft.com
   

4. To add the user to a required role:

   azsphere role add --role Contributor --user xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz.onmicrosoft.com
   

Step 3: Add the Azure.Identity NuGet package in the project

Add the Azure.Identity NuGet package in the project. The Azure Sphere Public API (PAPI) token can be acquired by DefaultAzureCredential.

For example see the code snippet:

    public static async Task<string> GetAS3Token()
    {
        DefaultAzureCredential credential = new DefaultAzureCredential();
        var result = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(
        new[] { "https://firstparty.sphere.azure.net/api/.default" }));
        return result.Token;
    }