azuremicrosoft-graph-apiazure-ad-b2cazure-managed-identity

Use managed identity of the web app to manage b2c using graph api


I have a web app hosted in azure with managed identity enabled on it. I also have a b2c tenant, in which I registered that application and granted it permissions to list all users.

If I'm using the combination of clientId, tenantId and clientSecret - I can call the GraphServiceClient and get users. But if I'm specifying DefaultAzureCredentials - then it looks like it can't validate the access.

I would really like to avoid the manual client secret rotation, so is there a way to make DefaultAzureCredentials to work? It seems like I missed some assignment IAM, bot there is no GraphApi-related roles. It's also not helping that b2c tenant manager is a separate window with its own UI.

Searching the internet I saw a mention of service-to-service authorization, where having Azure AD we register both app and B2C in there... but may be there is a better way? It should be, at least.

Thank you in advance.


Solution

  • As Per december 2023, this is not supported as managed identities belong to only one tenant:

    Can I use a managed identity to access a resource in a different directory/tenant?

    No. Managed identities don't currently support cross-directory scenarios.

    Additonally I looked into federated identity credentials which should theoretically enable this scenario but it is not supported as well:

    Microsoft Entra issuers aren't supported

    Applies to: applications and user-assigned managed identities

    Creating a federation between two Microsoft Entra identities from the same or different tenants isn't supported. When creating a federated identity credential, configuring the issuer (the URL of the external identity provider) with the following values isn't supported:

    • *.login.microsoftonline.com
    • *.login.windows.net
    • *.login.microsoft.com
    • *.sts.windows.net

    While it's possible to create a federated identity credential with a Microsoft Entra issuer, attempts to use it for authorization fail with error AADSTS700222: AAD-issued tokens may not be used for federated identity flows.