authenticationazure-web-app-serviceazure-api-managementmicrosoft-entra-idazure-service-principal

Azure API management service fails to authorize a call to web app API - getting 403 Forbidden or 401 Unauthorized


I'm trying to set up an Azure API Management Service with one backend API hosted in an Azure web app. APIM is supposed to authenticate against the Web App with the help of a service principal.

I activated the system assigned managed identity of APIM and of the Web App and adapted the APIM inbound policy:

<inbound>
    <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" /> 
    <base />
    <set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>

The UID for the authentication-managed-identiy resource I got from the Authentication tab of the Web App as can be seen in the picture.

Authentication-managed-identity UID

I also added the managed identity of the APIM as Contributor to the Web App. However, when I test my API in APIM, I get a "403 Forbidden" error.

If I remove the line <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />, I get a "401 Unauthorized" error.

I think this tells me that the authentication is working, but the APIM managed identity has no access rights to the API so the authorization fails.

How I can grant the APIM managed identity the correct access rights to my Web App API?

If I remove access restrictions to the Web App, I get a "200 OK" result, and the correct output, so the API access in general is working.


Solution

  • Follow the steps below to get this to work:

    1. Create a new Application in Microsoft Entra ID or use an existing one. Use the Client ID of the registered app in the policy.

      <policy>
          <inbound>
          <base />
              <authentication-managed-identity resource="{ClientId of the Entra App}" /> 
              <set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
          </inbound>
      </policy>
      
    2. Enable System managed Identity in your APIM instance.

      enter image description here

    3. Look for the Enterprise Application which got created post-enabling the system managed identity and then copy the Application ID.

      enter image description here

    4. Then, configure the Authentication in the Web App as shown below. Paste the Application ID which you copied from step 3 in the allowed client applications field.

      enter image description here

      enter image description here

      enter image description here

      enter image description here

    By doing as illustrated in the steps above, you should now be able to access the Web Apps in APIM:

    enter image description here

    enter image description here