Access Azure Sphere Public API with AAD managed identity

Important

This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.

You can use this method to authenticate to any service that supports Azure Active Directory (AAD) authentication, without any credentials in your code. AAD managed identity handles the creation or renewal of service principals on your behalf. It is a service principal of a special type that may only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed.

System-assigned: Some Azure services allow you to enable a managed identity directly on a service instance. For example, an Azure App Service. When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

Prerequisites

The following section explains how to call the Azure Sphere Public API (PAPI) from an Azure Web App using managed identity.

Step 1: Enable the system-assigned identity in the resource

To enable the system-assigned identity in the resource and to find the Object ID for the project:

  1. In the Azure portal, on the left navigation pane, click App Services.
  2. Choose the required subscriptions from the dropdown, and select your app from the search results.
  3. On the logic app menu, under Settings, select Identity.
  4. Enable the System-assigned identity by setting the Status to On.
  5. Click Save.
  6. Copy the Object ID.

Step 2: Add the managed identity to the Azure Sphere tenant

Note

Ensure that you have the following before beginning this step:

Azure Sphere treats the service principal as another user. To acquire a token using the service principal, first add the service principal user to the Azure Sphere tenant, and then assign a role to the user in an Azure Sphere tenant using the Azure Sphere CLI.

The user identity can be generated as <ObjectID>@<TenantID>.onmicrosoft.com.

In the following example we create a user using a combination of object ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and Azure AD tenant ID zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz in the Azure Sphere tenant ID tttttttt-tttt-tttt-tttt-tttttttttttt, and then add the Contributor role for this user.

  1. Sign in with your Azure Sphere login using the Azure Sphere CLI:

    azsphere login
    
  2. Select the required tenant:

    azsphere tenant select --tenant tttttttt-tttt-tttt-tttt-tttttttttttt
    
  3. To add the user to a required role:

    azsphere role add --role Contributor --user xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz.onmicrosoft.com
    

Step 3: Add the Azure.Identity NuGet package in the project

Add the Azure.Identity NuGet package in the project. The Azure Sphere Public API (PAPI) token can be acquired by DefaultAzureCredential.

For example see the code snippet:

    public static async Task<string> GetAS3Token()
    {
        DefaultAzureCredential credential = new DefaultAzureCredential();
        var result = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(
        new[] { "https://firstparty.sphere.azure.net/api/.default" }));
        return result.Token;
    }