Search code examples
azurefactorywebjobazure-managed-identity

Authenticating Azure Web Job with MSI in Azure Data Factory

The MSI Authentication for Azure Web Job through Web Activity in ADF is giving Error 403 - This web app is stopped. issue whereas the same web job is getting invoked through Basic Authentication.

The web job is hosted on Windows App Service as a manual triggered.

In ADF V2, i have created a web activity and provided the below settings: 
URL:https://<web app name>.scm.azurewebsites.net/api/triggeredwebjobs/<webjobname>/run
Method: POST
Headers: NA
Body: {}
Authentication: MSI with resource as https://management.azure.com/
  • I have enabled MSI in the App Service where the web job is deployed and confirmed the same in AAD.
  • MSI is enabled on the ADF as well, confirmed in the AAD.
  • In the app service, i have added my ADF in ACCESS CONTROL with role as Contributor and tried several other roles as well like Managed Application Operator Role.

Note: I have restarted my App Service as well after assigning the roles and after enabling MSI.

This is the code of the web activity in adf:

{
"name": "pipeline1",
"properties": {
    "activities": [
        {
            "name": "Web1",
            "type": "WebActivity",
            "dependsOn": [],
            "policy": {
                "timeout": "7.00:00:00",
                "retry": 0,
                "retryIntervalInSeconds": 30,
                "secureOutput": false,
                "secureInput": false
            },
            "userProperties": [],
            "typeProperties": {
                "url": "https://<webappname>.scm.azurewebsites.net/api/triggeredwebjobs/<webjobname>/run",
                "method": "POST",
                "authentication": {
                    "type": "MSI",
                    "resource": "https://management.azure.com/"
                }
            }
        }
    ],
    "annotations": []
},
"type": "Microsoft.DataFactory/factories/pipelines"
}

I expect the Authentication to be successful and the web job should get triggered, but in actual the web app is not getting invoked with MSI Authentication and the activity is failing with output as Error 403 - This web app is stopped.

Solution

  • Most of the MSDN documents states that in order to authenticate SCM site, basic auth should be used. Reference: https://github.com/projectkudu/kudu/wiki/WebJobs-API#invoke-a-triggered-job

    But i am able to find that in order to authenticate SCM site using MSI, the resource should be 'https://management.core.windows.net/' and not 'https://management.azure.com'.

    So to answer the above question, just change the resource in Authentication as below:

    Authentication: MSI with resource as https://management.azure.com/

    Reference Link:https://github.com/projectkudu/kudu/issues/2957#issuecomment-477890719 which states that

    when requesting a MSI token, you must define https://management.core.windows.net/ as resource not https://management.azure.com/.

    I certainly believe this may be helpful for accessing KUDU using MSI authentication.