Azure AD AP can we create custom user identity to access Allow back end API access associated with Azure AD Application?
I Have Azure Ad application MyApplication which contain 10 to 12 microservices. In expose api i have already
I have created my user custom identity to access azure ad app
I need to use my user manage identity to generate token for my all microservice beside my azure add app below is my scope api://axxxxxxxxxx/AllowAnonymus
string clientId = "XXXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientId
})
.GetTokenAsync(
new TokenRequestContext(
new[] { "api://axxxxxxxxxx/AllowAnonymus" }
));
I m not able generate token with this code. any one have idea
Note that: It is not possible to assign delegated permissions to Azure managed identity. Refer this SO Thread by juunas.
- Using Managed identities you would not be able to sign in as a user. and hence you cannot assign delegated permissions to managed identity.
- Only Application type API permissions can be assigned to managed identity.
If you are adding scope under Expose an API tab, then it is a delegated scope:
And hence you cannot assign this kind of permission to user managed assigned and generate token.
As a workaround, you can instead create app roles in the Microsoft Entra application:
Now assign this app role to User managed identity:
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -ObjectId MIObjectID -Id AppRoleID -PrincipalId MIObjectID -ResourceId MicrosoftEntraServicrPrincipalObjID
ObjectID and PrincipalId will be:
Go to Enterprise application -> Search your managed identity (with filter as All applications):
ResourceID is the Microsoft Entra Service principal objectID:
Now, you can generate token by using below code:
using System;
using Azure.Identity;
using Azure.Core;
class Program
{
static async Task Main(string[] args)
{
string clientId = "XXX"; // The Client ID of the user assigned identity
AccessToken token = await new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientId
})
.GetTokenAsync(
new TokenRequestContext(
new[] { "api://XXX/.default" }
));
Console.WriteLine(token.Token);
}
}
Note that: Managed Identity cannot be used locally because the security boundary of the managed identity is the Azure resource to which it is attached to.
- Hence you need to make use of VMs, Web Apps or any other Azure resources to enable the identity and run the code. Refer this Microsoft QnA
- Refer this blog by Vikas Hooda, for step-by-step implementation.
- Confused on how to get access tokens from B2C in Blazor App
- Using different layout for unauthenticated users in Blazor WASM
- Add claims into token Azure B2C
- I am getting an error that OAuth2 Code has already been redeemed
- Azure B2C modify SAML AccessTokenLifetime
- Cannot create Azure B2C Tenant
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- Azure B2C user flow without an email
- Azure B2C Custom Policy - REST Call with Bearer Token from OIDC Step
- how to limit code verification email Spaming in Azure B2C
- Local user accounts not created properly in Azure AD B2C
- How do add device management to TOTP custom B2C policy?
- Server error occured while using B2C on Azure API Management Develop portal
- Changing Default Email Address in Azure AD B2C User Flows Without Custom Policies
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- AADB2C90068: The provided application with ID is not valid against this service. Please use an application created via the B2C portal and try again
- Azure B2c error 'Unable to validate the information provided.' when using custom attributes
- Azure B2C multi-tenant Microsoft Entra ID doesn't allow sign in as another Microsoft account
- In Azure AD B2C who provides the ID token?
- Azure: Use App Gateway for Custom B2C Domain instead of Front Door
- How to add UAE Pass as identity provider to Azure AD B2C
- Configuration in Azure AD B2C for Custom Policies
- Azure B2C - Password Rules Not Reflecting (Signup + Password Reset)
- Need help getting Azure AD B2C SSO with Azure AD
- Azure B2C - confusing expiring fields in refresh token
- Azure Static Web App - Only Allow Authenticated Users (Entra, B2C)
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- How do I programmatically clear or update a phone number for Azure AD B2C MFA?
- B2C - How to override sign up now link (custom policy)
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed