Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,751 questions
APIM - API - Using Managed Identity Authentication - Getting 500 Internal Server Error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 87%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
krishna572
876
Reputation points
Details:
- Created a GET Request HTTP Trigger in Azure Function App with simple response message - "Your Http Trigger Function executed successfully."
- Imported this Function App API in Azure APIM Instance.
- In APIM Instance > Managed Identity under Security > System Identity to ON and save.
- In Function App > Authentication > Enabled App service authentication using Active Directory.
- In APIM Instance > GET API (Function App API) > Design > Inbound Processing > added this managed identity policy to inbound scope.
<authentication-managed-identity resource="<Function-App-URL>"/>
Now Testing the API through APIM >APIs > Function App API > Get operation > Test
Getting 500 Internal Server Error
In the Trace:
authentication-managed-identity
{
"message" : "Obtaining managed identity token using client id <someid> AAD Authority for <Function-App-URL> audience failed."
"errorResponse" : "System.InvalidOperationException: [MSAL] Authentication failed for Client Id. The resource principal named <function-app-url> was not found in the tenant named <tenant-name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. "
}
Note:
- Function App is registered in the App Registrations under AD while enabling the App service Authentication Step.
- That Polices is set in Operation Level.
- My Role is Contributor
Solutions I checked to fix this:
- I checked the Tenant ID matches from the trace. No Mistake here.
- Tried in Incognito session, cleared all the cookies in the browsers.
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
JananiRamesh-MSFT 21,091 Reputation points2022-06-06T05:33:21.49+00:00 Hi @NFSCoder-9821 Thanks for reaching out.
could you please replace the app url to client_id of backend in policy as given below<authentication-managed-identity resource="api:// {your client id}" />
you could use the appId instead of the name to make sure you're getting the correct SPN.
try with this incase if it fails again please share me the ocp-apim-trace location, APIM instance name to investigate further.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 51%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETR%3C/text%3E%3C/svg%3E)
Teja, Ravi 1 Reputation point2022-11-29T03:58:31.207+00:00 I have the similar issue. I turned on the managed identity on the app service and it's point to the right app Id. Even then I get similar error as addressed above.
Sign in to comment