Authenticating webapp using Azure Managed Identity without access hosting environment
My expectation here is that this is impossible, but I figure I'd ask just to be sure.
Our setup is a bit unique. We have an Azure environment which will be hosting various resources, among which is API Management (APIM). We are looking to secure access to APIM using a Managed Identity (MI). We are also looking to connect to APIM through a .NET6 webapp.
The challenge is that this webapp will be deployed into a different environment that we have no control over, or access to.
Is there any way to use a MI in this scenario? From my understanding, the typical workflow is to use DefaultAzureCredential to access the MI (see here), however, I believe that requires MI to be configured in the same environment the webapp is deployed to. Is there a way to authenticate against the MI using a "traditional" approach of a ClientID/ClientSecret, or is that essentially the exact thing that MI is trying to prevent?
For a web app to use MI, we need to configure few things in Azure App Service.
We need to set the Identity Provider in the Authentication.
The above is possible only if the WebApp is deployed in the Azure App Service and the hosting environment is known.
AFAIK, we do not have a direct way to authenticate a web app using Managed Identity without the hosting Environment.
We can use Managed Identity when we build our application using Azure App Service, Azure Functions, Azure VM, AKS, Azure Container Instances, Azure Storage, Logic Apps.
I believe that requires MI to be configured in the same environment the webapp is deployed to. Is there a way to authenticate against the MI using a "traditional" approach of a ClientID/ClientSecret,
One alternative way to achieve this is by registering the App in the Azure Active Directory.
Navigate to the APIM instance in Azure Portal, if you don't have create a new APIM.
Enable
Azure ADfrom thePortal overviewas shown below.
- Identities will be created with ClientID.
- New App with same name as
APIMwill be registered in theAAD.
- In APIM, add the new Group.I got the error as shown below.
- To add new
Azure AD Group, we need to haveDirectory.Read.Allpermissions forAzure Active Directory GraphinAAD=>API permissions.
- We can also manually register the App in AAD.
- Azure Web App Deployment error via msdeploy - ERROR_INSUFFICIENT_A CCESS_TO_SITE_FOLDER
- Deploying a Python App to Azure App Service with Github Actions
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- How allow github actions to access database on vnet
- Azure N-Tier application architecture not working with App Service Container deployment
- My mern project is not running in azure web app
- Predefined type 'System.Void' is not defined or imported during Visual Studio Online build of ASP.NET 5
- Azure monitor open telemetry python package raising exception when python app deployed on Azure
- Getting an error when I am trying to use pre-built contract model on AI Document Intelligence Studio. Error code in the body
- Managed Identity for Cosmos DB: "Local Authorization is disabled. Use an AAD token to authorize all requests"
- Authenticate to SQL Server with Azure app service managed identity through group
- Deploy python app to existing azure app service with azure cli
- Unable to deploy a python application from az cli
- How can I add tracing / logging messages for a Blazor Server Side App on Azure? (Preferred with App Service Logs)
- AADSTS50012: Invalid client secret is provided when moving from a Test App to Production
- Redirect Microsoft Identity Platform Access Denied in ASP.NET Core
- data base queries in application is running on the local environment, but not on microsoft azure?
- Is there a way to limit access to an Azure App Service?
- How to Log Exceptions to Azure application logs
- Azure React deployment not loading
- Issue with azure app service (linux) environment variable in ASP.NET Core app
- Using Az.Websites module to set up user assigned managed identity to pull image from ACR
- Azure App Service: Cant resolve SCM domain from behind Azure Front Door
- Unable to run NodeJS app on Azure Windows App Service
- Azure Pipeline Deployment to App Service fails: "Resource doesn't exist. Resource should exist before deployment". But App Service is running
- How do I change from Bring Your Own Certificate to Azure Managed for an App Service?
- Web Deploy experienced a connection problem with the server and had to terminate the connection - Azure App Service
- Authentication failed for Azure Git
- Azure Web App deploy: Web Deploy cannot modify the file on the destination because it is locked by an external process
- Application Error when deploying python EchoBot to the Azure App Service via VS Code. Module not found