Authenticate with managed identity

Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme. API Management caches the token until it expires.

Both system-assigned identity and any of the multiple user-assigned identities can be used to request a token. If client-id is not provided, system-assigned identity is assumed. If the client-id variable is provided, token is requested for that user-assigned identity from Azure Active Directory.

Note

Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.

Policy statement

<authentication-managed-identity resource="resource" client-id="clientid of user-assigned identity" output-token-variable-name="token-variable" ignore-error="true|false"/>  

Attributes

Attribute Description Required Default
resource String. The application ID of the target web API (secured resource) in Azure Active Directory. Policy expressions are allowed. Yes N/A
client-id String. The client ID of the user-assigned identity in Azure Active Directory. Policy expressions are not allowed. No system-assigned identity
output-token-variable-name String. Name of the context variable that will receive token value as an object of type string. Policy expresssions are not allowed. No N/A
ignore-error Boolean. If set to true, the policy pipeline will continue to execute even if an access token is not obtained. No false

Usage

Examples

Use managed identity to authenticate with a backend service

<authentication-managed-identity resource="https://graph.microsoft.com"/> 
<authentication-managed-identity resource="https://management.azure.com/"/> <!--Azure Resource Manager-->
<authentication-managed-identity resource="https://vault.azure.net"/> <!--Azure Key Vault-->
<authentication-managed-identity resource="https://servicebus.azure.net/"/> <!--Azure Service Bus-->
<authentication-managed-identity resource="https://storage.azure.com/"/> <!--Azure Blob Storage-->
<authentication-managed-identity resource="https://database.windows.net/"/> <!--Azure SQL-->
<authentication-managed-identity resource="AD_application_id"/> <!--Application (client) ID of your own Azure AD Application-->

Use managed identity and set header manually

<authentication-managed-identity resource="AD_application_id"
   output-token-variable-name="msi-access-token" ignore-error="false" /> <!--Application (client) ID of your own Azure AD Application-->
<set-header name="Authorization" exists-action="override">
   <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>

Use managed identity in send-request policy

<send-request mode="new" timeout="20" ignore-error="false">
    <set-url>https://example.com/</set-url>
    <set-method>GET</set-method>
    <authentication-managed-identity resource="ResourceID"/>
</send-request>

Next steps

For more information about working with policies, see: