We're trying to access from Azure Function(.Net 4.8) to Azure Analisys Services using managed identity to retrieve a valid token and authenticate to AAS.
This is the code we are using:
private static string GetToken()
{
return new AzureServiceTokenProvider().GetAccessTokenAsync($"https://{ConfigurationManager.AppSettings["AASSRegion"]}.asazure.windows.net", ConfigurationManager.AppSettings["TenantId"]).Result;
}
private static string GetConnectionString()
{
return $"Provider=MSOLAP;" +
$"Data Source=asazure://{ConfigurationManager.AppSettings["AASSRegion"]}.asazure.windows.net/{ConfigurationManager.AppSettings["AASSName"]}:rw;" +
$"Initial Catalog=Example;" +
$"Password={GetToken()};" +
$"Persist Security Info=True;" +
$"Impersonation Level=Impersonate";
}
After the execution we obtain a valid token and generate a valid connectionString, but when we try to connect to AAS we receive the following 500 error:
Either the user, 'app:appid@tenantid', does not have access to the 'Example' database, or the database does not exist
(Both the id of the app and tenant are correct in the error message)
The managed identity is allowed in AAS, and the keys of "AASRegion","AASName" and "TenantId" are well configured.
The appid has admin permissions in AAS and contributor RBAC role.
What are we missing? Is it possible to connect to AAS using managed identity?
Solved: The problem was that in AAS we add the Object ID of the managed identity instead of the Application ID. You can see both on Enterprise application:
