Azure api management service fails to authorize call to web app API
I'm trying to set up an Azure API Management Service with one backend API hosted in an Azure web app. APIM is supposed to authenticate against the Web App with the help of a service principal.
I activated the system assigned managed identity of APIM and of the Web App and adapted the APIM inbound policy:
<inbound>
<authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />
<base />
<set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>
The UID for the authentication-managed-identiy resource I got from the Authentication tab of the Web App as can be seen in the picture.
I also added the managed identiy of the APIM as Contributor to the WebApp.
However, when I test my API in APIM, I get a 403 Forbidden
If I remove the line <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" />
I get a 401 Unauthorized
I think this tells me, that the authentication is working, but the apim managed identity has no access rights to the API so the authorization fails.
Can anybody tell me, how I can grant the APIM managed identity the correct access rights to my Web App API?
PS If I remove access restrictions to the Web App, I get a 200 OK and the correct output, so the API access in general is working.
Thanks Simon
Follow the steps below to get this work-
- Create a new Application in Microsoft Entra Id or use an existing one. Use client Id of the registered app in the policy.
<policy>
<inbound>
<base />
<authentication-managed-identity resource="{ClientId of the Entra App}" />
<set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>
</policy>
- Enable System managed Identity in APIM instance.
- Look for the Enterprise Application which got created post enabling the system managed identity and then copy the application Id.
- Then, configure Authentication in Web App as shown below. Paste the application Id which you have copied in step 3 in allowed client applications field.
By doing the illustrated the steps you can access the Web Apps in APIM.
- .NET OIDC token mapping different between id_token and userinfo endpoint
- WebAuthn: Can't create public key. Promise is rejected
- FastAPI authentication injection
- Swift - Sign in with apple always results in 'Sign up not completed' after the facial recognition runs
- How to add authentication for Swift in Xcode environment
- What are the main differences between JWT and OAuth authentication?
- Laravel 419 Page Expired on Hosting but Works Locally
- How can I log in and authenticate to PostgreSQL after a fresh install?
- What is a Pythonic way for Dependency Injection?
- Paypal auth not behaving correctly
- Symfony custom authenticator and form login ldap at the same time
- How to add user authentication to specific endpoints in FastAPI?
- How to configure command line git to use ssh key
- How to enable remember password in case of AJAX login?
- Cannot switch from user myself back to root using `su` command, it reports authentication failure. `sudo` command not found either
- Swipe a splash screen to get to a login screen (Android Application)
- laravel5.2 Auth::guest() returns error "Class 'App\Http\Controllers\Auth' not found"
- troubleshooting Cakephp auth component not allowing allowed actions
- Docker private registry insufficient_scope when trying to delete image
- LoginAsync Always Returns False in Blazor WebAssembly with ASP.NET Core 9 Cookie Authentication
- CloudKit server-to-server authentication
- Problems with setting up JWT Bearer authentication in ASP.NET Core
- AADSTS500208 "domain is not a valid login domain" error when migrating Blazor WASM from Azure AD B2C to Entra External ID
- Laravel sanctum SPA authentication with multiple different user models
- C# Flurl - Add WebRequestHandler to FlurlClient
- Laravel 9 email verification Invalid Signature
- JWT Cookie Removed After Page Refresh in React App (Frontend Localhost, Backend Server)
- using refresh token to get new access token react and node js
- authentication fails with Spring Security with "permitAll"
- Flutter: how to check if user is logged in by using flutter_secure_storage