question

haoqiao avatar image
0 Votes"
haoqiao asked haoqiao answered

Azure App Service is able to use Managed Identity(no app roles set) to call another AAD protected App service, Why?

Structure Step Up

App service A, with app service plan A(Free Tier), with System Assigned Identity On
App service B, with app service plan B(Free Tier), with AAD authentication and authorization, with service principle B
That's it, no more further setups, no app roles, no token audience.

Then I made a very simple console app using .Net 5.

     var azureServiceTokenProvider = new AzureServiceTokenProvider();

     var token = azureServiceTokenProvider.GetAccessTokenAsync("SPN B's client Id", "Tenant Id").GetAwaiter().GetResult();

     Console.WriteLine(token);

     using (var hc = new HttpClient())
     {
         hc.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);

         var res = hc.GetAsync("App service A url").GetAwaiter().GetResult();

         var body = res.Content.ReadAsStringAsync().GetAwaiter().GetResult();

         Console.WriteLine(body);
     }

Then I dropped this console app to App service A's Kudu console and run it. Surprisingly it was able to use the managed identity token to access app service B.

I am very confused, the managed identity should not have any accesses. The returned JWT token:

{ "aud": "SPN B's client id", "iss": "issuer", "iat": 1614463676, "nbf": 1614463676, "exp": 1614550376, "aio": "E2ZgYHAIulMkupMv5ku6dYrERh0LAA==", "appid": "Managed identity client id", "appidacr": "2", "idp": "issuer", "oid": "Managed identity object id", "rh": "0.ASgA43WCTWxU70i_QFayzgGduttb1iTw-FBIn9cvBo6st-IoAAA.", "sub": "Managed identity object id", "tid": "tenant id", "uti": "--aa0ubSrEqW4yeOzeYBAA", "ver": "1.0" }

Could someone please help me to understand this situation. Is it because of the free tier app service plan or other default setups?

Thank you a lot in advance!

azure-active-directoryazure-webapps
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

haoqiao avatar image
0 Votes"
haoqiao answered

Found the answer:

The app service B service principle default "user assignment required" was set to false and support account type was My organization only. Any valid service principle in the same tenant should be able to get the access token for it. Managed identity is a valid service principle so it can get access token.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

You can check the following script to see if somehow an app role got assigned:

 # Replace with your managed identity object ID
 $miObjectID = "17707c90-dab4-483d-a57f-65e91ac3d94f"
 # Microsoft Graph; the ID is the same in all tenants
 $appId = "00000003-0000-0000-c000-000000000000"
    
 Connect-AzureAD
    
 $app = Get-AzureADServicePrincipal -Filter "AppId eq '$appId'"
    
 $appRoles = Get-AzureADServiceAppRoleAssignment -ObjectId $app.ObjectId | where PrincipalId -eq $miObjectID
    
 foreach ($appRole in $appRoles) {
     $role = $app.AppRoles | where Id -eq $appRole.Id | Select-Object -First 1
     write-host $role.Value
 }

If you go to the system-assigned managed Identity and select Identity > Permissions > Azure role assignments, you can see if there are any Azure roles assigned to that Identity. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-managed-identity

73916-image.png



image.png (31.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.