I'm trying to set up an Azure API Management Service with one backend API hosted in an Azure web app. APIM is supposed to authenticate against the Web App with the help of a service principal.
I activated the system assigned managed identity of APIM and of the Web App and adapted the APIM inbound policy:
<inbound>
<authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />
<base />
<set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>
The UID for the authentication-managed-identiy resource I got from the Authentication tab of the Web App as can be seen in the picture.
I also added the managed identity of the APIM as Contributor to the Web App. However, when I test my API in APIM, I get a "403 Forbidden" error.
If I remove the line <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />
, I get a "401 Unauthorized" error.
I think this tells me that the authentication is working, but the APIM managed identity has no access rights to the API so the authorization fails.
How I can grant the APIM managed identity the correct access rights to my Web App API?
If I remove access restrictions to the Web App, I get a "200 OK" result, and the correct output, so the API access in general is working.
Follow the steps below to get this to work:
Create a new Application in Microsoft Entra ID or use an existing one. Use the Client ID of the registered app in the policy.
<policy>
<inbound>
<base />
<authentication-managed-identity resource="{ClientId of the Entra App}" />
<set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>
</policy>
Enable System managed Identity in your APIM instance.
Look for the Enterprise Application which got created post-enabling the system managed identity and then copy the Application ID.
Then, configure the Authentication in the Web App as shown below. Paste the Application ID which you copied from step 3 in the allowed client applications field.
By doing as illustrated in the steps above, you should now be able to access the Web Apps in APIM: