Azure AD AP can we create custom user identity to access Allow back end API access associated with Azure AD Application?
I Have Azure Ad application MyApplication which contain 10 to 12 microservices. In expose api i have already
I have created my user custom identity to access azure ad app
I need to use my user manage identity to generate token for my all microservice beside my azure add app below is my scope api://axxxxxxxxxx/AllowAnonymus
string clientId = "XXXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientId
})
.GetTokenAsync(
new TokenRequestContext(
new[] { "api://axxxxxxxxxx/AllowAnonymus" }
));
I m not able generate token with this code. any one have idea
Note that: It is not possible to assign delegated permissions to Azure managed identity. Refer this SO Thread by juunas.
- Using Managed identities you would not be able to sign in as a user. and hence you cannot assign delegated permissions to managed identity.
- Only Application type API permissions can be assigned to managed identity.
If you are adding scope under Expose an API tab, then it is a delegated scope:
And hence you cannot assign this kind of permission to user managed assigned and generate token.
As a workaround, you can instead create app roles in the Microsoft Entra application:
Now assign this app role to User managed identity:
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -ObjectId MIObjectID -Id AppRoleID -PrincipalId MIObjectID -ResourceId MicrosoftEntraServicrPrincipalObjID
ObjectID and PrincipalId will be:
Go to Enterprise application -> Search your managed identity (with filter as All applications):
ResourceID is the Microsoft Entra Service principal objectID:
Now, you can generate token by using below code:
using System;
using Azure.Identity;
using Azure.Core;
class Program
{
static async Task Main(string[] args)
{
string clientId = "XXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientId
})
.GetTokenAsync(
new TokenRequestContext(
new[] { "api://XXX/.default" }
));
Console.WriteLine(token.Token);
}
}
Note that: Managed Identity cannot be used locally because the security boundary of the managed identity is the Azure resource to which it is attached to.
- Hence you need to make use of VMs, Web Apps or any other Azure resources to enable the identity and run the code. Refer this Microsoft QnA
- Refer this blog by Vikas Hooda, for step-by-step implementation.
- Caching User Single Sign On using Distributed Cache
- How to redirect back to Azure AD B2C defining which custom policy to use based on the username given
- Access token not working Azure AD custom policy
- MSAL login getting stuck in .NET MAUI app
- Sign-up User Flow with Azure B2C and Microsoft.Identity.Web
- Azure AD B2C Password Reset
- Reset password MS Entra
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Retrieving tokens from aad_b2c_webview
- MissingPluginException When Using aad_oauth for Microsoft Multi-Factor Authentication in Flutter
- How to check user exists in AD B2C, using custom policy?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Use managed identity of the web app to manage b2c using graph api
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- no email in claim when logging on via Entra ID
- Azure B2C App Always Redirects to <domain>/MicrosoftIdentity/Account/Error
- How to Implement Direct Username and Password Login with Azure AD B2C in Flutter without Using Microsoft's UI?
- How to properly restrict access to an azur eweb application?
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Set-AzureADMSTrustFrameworkPolicy powershell cmdlet works on laptop but not in github actions. No changes done
- I am not able to import the powershell module Microsoft.Graph.Entra.Beta
- B2C Custom Policy: Error changing localAccountPasswordReset Content selfAsserted policy version beyond 1.1.0
- Non Verified Domain as IdntifierUri for Azure B2C IEF Application
- B2C authentication not returning access_token
- How to disable authentication during the start up of an ASP.NET Core 5 Blazor B2C application?
- Email address empty when trying to read it out at the back end
- Creating a user in Azure AD B2C through Microsoft SSO
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Error trying to add JavaScript to Azure B2C Local Signup Page