question

skdev avatar image
0 Votes"
skdev asked ·

Azure API Management to backend Azure function managed identity authentication


Hi,
I have enabled System Assigned managed identity to my API management.
I want my backend Azure function authenticate the request from API management using its managed identity.

Also added inbound policy for API in API management as 'authentication-managed-identity' with function app app id as below.
<authentication-managed-identity resource="api://xxxxx-xx-xxx" />

Backend function app(v3) is using .Net Core. I have enabled Microsoft identity provider in 'Authentication' section of Azure Function.

But still getting below error while performing 'Test/Run' from Azure portal for this function app and also from API management:

401 Unauthorized
Yo do not have permission to view this directory or page.

Could you please help with proper documentation with example for this scenario.

azure-functionsazure-api-managementazure-managed-identity
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MikeUrnun avatar image
0 Votes"
MikeUrnun answered ·

Hi @skdev - It looks like you're not setting the Bearer token, which can be extracted from Context variable when output-token-variable-name="msi-access-token" is set in your <authentication-managed-identity ..> policy, in the header using the <set-header ...> policy.

Here's the blog post with step-by-step instructions on how to set this up: Azure API Management – Call Azure Functions with Managed Identity



· 2
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MikeUrnun Did try this. But still getting the same 401 unauthorized error.
Even without it, I could see the 'Authorization' header set with 'Bearer <tokenvalue>'.
Is there anything that I have to do in Azure AD application, like adding roles/permissions?

0 Votes 0 ·

Hi @skdev ,

Did you get an answer for this? I had the same issue and I think the problem is that your user identity needs to somehow be authorised for the function as you are running the function in the Azure Portal (and hence getting Unauthorized). I was able to test mine successfully via Postman using Managed Identities so I put it down to that.

0 Votes 0 ·