Authenticating via Easy Auth using Bearer Token from APIM system assigned managed identity

Luke McConnell 0 Reputation points
2023-12-09T01:03:52.5566667+00:00

I have an app service plan running an api service that is secured by Easy Auth (Azure AD authentication with a app registration).

I can login to the app and view my details at /.auth/me.

I am trying to authenticate to this same app service from Azure API Management. I want to use a policy that places a bearer token from the system assigned managed identity of APIM in the headers of the request on its way to the app service on the backend.

I am using this policy on the endpoint.

When I try to hit the API from APIM, I get a forbidden response every time.

I have my settings configured to allow any internal user or app to access the api endpoints (no app roles or permissions).

What am I missing to set up this auth?

<policies>
    <inbound>
        <base />
        <authentication-managed-identity resource="fa7704fa-a32d-46dd-bdd8-23d1d39692f0" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,908 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,269 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 23,256 Reputation points
    2023-12-11T13:07:54.71+00:00

    @Luke McConnell Thanks for reaching out. Please confirm if you have configured all the steps mentioned below.

    Enable system-assigned managed identity for your APIM instance. You can do this by going to the "Identity" blade of your APIM instance in the Azure portal and turning on the "System assigned" option.

    Grant the managed identity of your APIM instance access to your AAD-protected App Service. You can do this by adding the managed identity of your APIM instance as a "Contributor" or "Owner" to the App Service's access control (IAM) list.

    To configure Azure RBAC access:

    1. In the left menu, select Access control (IAM).
    2. On the Access control (IAM) page, select Add role assignment.
    3. On the Role tab, select the appropriate role under privileged administrator role.
    4. On the Members tab, select Managed identity > + Select members.
    5. On the Select managed identity page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select Select.
    6. Select Review + assign.

    In your App Service, enable AAD authentication by going to the "Authentication / Authorization" blade and turning on the "App Service Authentication" option. Choose the authentication provider. Reference: https://video2.skills-academy.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity#supported-scenarios-using-system-assigned-identity

    API in APIM should be updated with policy authentication-managed-identity. https://video2.skills-academy.com/en-us/azure/api-management/authentication-managed-identity-policy <authentication-managed-identity resource="AD_application_id"/> <!--Application (client) ID of your own Azure AD Application-->

    With these steps, your App Service should be able to authenticate with AAD using the system-assigned managed identity of your APIM instance.

    Please verify and let me know even after this if you're facing this error.