Search code examples
authenticationazure-web-app-serviceazure-api-managementazure-service-principalazure-entra-id

Azure api management service fails to authorize call to web app API

I'm trying to set up an Azure API Management Service with one backend API hosted in an Azure web app. APIM is supposed to authenticate against the Web App with the help of a service principal.

I activated the system assigned managed identity of APIM and of the Web App and adapted the APIM inbound policy:

<inbound>
    <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" /> 
    <base />
    <set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
</inbound>

The UID for the authentication-managed-identiy resource I got from the Authentication tab of the Web App as can be seen in the picture.

Authentication-managed-identity UID

I also added the managed identiy of the APIM as Contributor to the WebApp.

However, when I test my API in APIM, I get a 403 Forbidden

If I remove the line <authentication-managed-identity resource="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" /> I get a 401 Unauthorized

I think this tells me, that the authentication is working, but the apim managed identity has no access rights to the API so the authorization fails.

Can anybody tell me, how I can grant the APIM managed identity the correct access rights to my Web App API?

PS If I remove access restrictions to the Web App, I get a 200 OK and the correct output, so the API access in general is working.

Thanks Simon

Solution

  • Follow the steps below to get this work-

    1. Create a new Application in Microsoft Entra Id or use an existing one. Use client Id of the registered app in the policy.
    <policy>
    <inbound>
    <base />
        <authentication-managed-identity resource="{ClientId of the Entra App}" /> 
        <set-backend-service id="apim-generated-policy" backend-id="xxxxxxxxxx" />
    </inbound>
</policy>
    1. Enable System managed Identity in APIM instance.

    enter image description here

    1. Look for the Enterprise Application which got created post enabling the system managed identity and then copy the application Id.

    enter image description here

    1. Then, configure Authentication in Web App as shown below. Paste the application Id which you have copied in step 3 in allowed client applications field.

    enter image description here enter image description here enter image description here enter image description here

    By doing the illustrated the steps you can access the Web Apps in APIM.

    enter image description here

    enter image description here