Azure Function using MSI - Error Requesting Token

4
votes

I have a Function in Azure, which has MSI (Managed Service Identity) enabled which I am trying to use to access an Azure based WebAPI (App Service WebApp) which in turn has Azure AD Authentication enabled (all same Azure Directory).

My WebAPI has an Azure App registered so it can use AAD Authentication.

This app also has the necessary AppRoles configured in its Manifest (for types 'User' and for 'Application').

I have also verified that the Functions Identity (app) was successfully created in Azure AD when I enabled MSI on the Function.

When I try to obtain a token within my Function using MSI i receive a 400 Bad Request response / error:

"ExceptionMessage": "AADSTS50105: Application '###' is not assigned to a role for the application '###'

"ErrorCode": "invalid_grant"

I have ensured the Resource value I pass in is my webAPIs app ID URI.

string resource = "<My App URI>";
string apiversion = "2017-09-01";
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
var r = await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));
return r;

But I still get the same error. The code for requesting a token is fine, and the error does infact point towards a permissions issue.

The one thing I have not been able to do (and I guess this is the problem) is find a way to give add the new MSI/Function Identity to the Users & Groups of the webAPIs Azure App. No matter what I try my Functions App Identity does not appear in the Users list when I search for it to add as a member of the webAPI app (with the Application role).

Does anyone have any suggestions as to why I cannot add the Functions MSI to an Apps Users & Groups or to an Azure AD Group?

Or am I doing something else wrong perhaps?

2
functionazureauthenticationazure-functionsservice-principal
You have to add an app permission for the Function service principal :) App roles with allowed member type == "Application" are app permissions. This is something I have not personally tried. The hard part is that since you have no Application (only the SP), you have to do the permission assignment with PowerShell.juunas
The command should be something like this: New-AzureADServiceAppRoleAssignment -ObjectId 'a' -Id 'a' -PrincipalId 'a' -ResourceId 'a'. I think ObjectId can be a random GUID, e.g. [System.Guid]::NewGuid().ToString(). Id should be the id of the appRole. PrincipalId should be the objectId of the Function Service Principal. ResourceId should be the objectId of the API's service principal. Let me know if you get this working :Djuunas
can you see your function app in the azure ad (should be a user i think) ??Thomas
Thomas - Yes its in there, you dont see it under Users, but you will see it under Enterprise Apps (must reset the search filter as in Shengbao's reply/image belowcty
Juunas - this worked! You were spot on, thank you! I've not seen this referred to anywhere else in anything Ive read. MS indicate you can do all this from the Azure Portal, but as we experienced, you cant! Thank you for your help!cty

2 Answers

2
votes

Juuna was spot on in his response to my original post:

When enabling MSI on a service only a Service Principal is created in Azure AD and as such this wont appear in search results when trying to add the SP as a member of a Group or to User & Groups of an Azure AD App.

In order to assign your MSI created Service Principal permissions to your App you need to:

  1. Edit your apps manifest and ensure you have app roles with allowed member type = "Application"
  2. Run the PowerShell cmdlet "New-AzureADServiceAppRoleAssignment (link) to grant your Service Principal the Application role you added to your apps manifest
  3. Within your MSI enabled service re-try requesting a token

For me, following the above, I can now successfully request app tokens from my Function so my same Azure Function can call my WebApp (which is AAD Authentication enabled).

1
votes

In fact, when you enable MSI, it will create a service principal(not a user), so you could not find it in Users&Groups.

You could find it on Azure Portal and try to give permissions you need. Azure Active Directory -->Enterprise applications

enter image description here

Note: The service principal name is same with your function name.

In function, you should use the following code to get token, please refer to this link.

using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
// ...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");
// OR
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));