Azure API Management to backend Azure function managed identity authentication

Question

Hi,
I have enabled System Assigned managed identity to my API management.
I want my backend Azure function authenticate the request from API management using its managed identity.

Also added inbound policy for API in API management as 'authentication-managed-identity' with function app app id as below.
<authentication-managed-identity resource="api://xxxxx-xx-xxx" />

Backend function app(v3) is using .Net Core. I have enabled Microsoft identity provider in 'Authentication' section of Azure Function.

But still getting below error while performing 'Test/Run' from Azure portal for this function app and also from API management:

401 Unauthorized
Yo do not have permission to view this directory or page.

Could you please help with proper documentation with example for this scenario.

Answer 1

Hi @skdev - It looks like you're not setting the Bearer token, which can be extracted from Context variable when output-token-variable-name="msi-access-token" is set in your <authentication-managed-identity ..> policy, in the header using the <set-header ...> policy.

Here's the blog post with step-by-step instructions on how to set this up: Azure API Management – Call Azure Functions with Managed Identity

UPDATE: Sorry for the late update here but if you're getting the 401 Unauthorized error after following the steps in the blog post I referenced, it's likely your Functions endpoints are secured by the Access keys feature which, typically, is enabled by default during the creation of functions. If that was indeed the case for you, you'll want to implement an additional APIM policy and make sure the request to Functions is including the access keys as well, otherwise, you'll still get the 401 error.

Answer 2

Hello I have the same issue but I'm able to get the tokens. But these tokens are working with managed identity. I get this error.

{
"statusCode": 500,
"message": "Internal server error",
"activityId": "SomeID here"
}

Answer 3

Few items to check.

1. Does your APIM instance have Managed Identity turned on?
2. Does the App Registration behind the App Service Authentication have a role for this?
3. Is the Managed Identity added to that role?
4. Do you have the function code authentication turned on ( have you set that up properly in the APIM )

For the number 3, there is this azure powershell (AAD) command that you need to execute:

New-AzureADServiceAppRoleAssignment
   -ObjectId {MANAGED-IDENTITY-ID}
   -Id {YOUR-APPROLE-ID}
   -PrincipalId {MANAGED-IDENTITY-ID}
   -ResourceId {ENTERPRISE-APP-OBJECT-ID}

The API policy should be along the lines

// in the inbound part
<authentication-managed-identity resource="{{clientId}}" ignore-error="false" output-token-variable-name="msi-access-token" />
        <set-header name="Authorization" exists-action="override">
            <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>
<set-backend-service backend-id="azfun" />

Answer 4

Hello @skdev , in case you haven't solved your issue yet, your APIm policy should read :

<authentication-managed-identity resource="***your function app application ID without anything else***" />  

Then if you still get a 401, @Mike Urnun is probably right that you also need an access key to be allowed to call your functions. In this case, simply add the following policies :

<set-query-parameter name="clientId" exists-action="override">  
            <value>***name of the function app key***</value>  
</set-query-parameter>  
<set-query-parameter name="code" exists-action="override">  
            <value>***value of the function app access key***</value>  
</set-query-parameter>