question

CosminStirbu-1831 avatar image
0 Votes"
CosminStirbu-1831 asked ·

Integrate Azure API Management with Azure Functions using Managed Identity and Active Directory Authentication

Hi,

Is there a way to restrict which resources (particularly APIM instances) using managed identity can integrate with an Azure Function protected by Azure AD authentication?

Basically we've performed the following steps to integrate the APIM with the Azure Function:

  1. Configured the Azure Function to use Azure AD login, as per docs

  2. Enabled Managed Identity on the API Management resources as per docs

However it's not clear how to disable any other API Management resource follow step 2 and integrate with the function?

Thank you,
Cosmin



azure-active-directoryazure-functionsazure-api-managementazure-managed-identity
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered ·

@CosminStirbu-1831 This is a service-to-service call and can be authorized via app roles. This section of the docs describes the steps required. This would need validation in your function app.


· 3
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does this mean that we should/can drop the Managed Identity integration between API Management and the Azure Function?

Currently we don't perform token / claims validation at the function level.

We perform the token / claims validation at the API Management level using validate-jwt policy, and then we use authentication-managed-identity to allow API Management to access the Azure Function.


0 Votes 0 ·

@CosminStirbu-1831 If all requests go through APIM, then you could skip it at the function app level and just protect your function app with IP Restrictions instead to allow requests to only come from APIM.


0 Votes 0 ·

We'll use IP restrictions then to allow requests to only come from APIM. Thank you.

1 Vote 1 ·