Managed Identities for Azure AppService to AppService Call

0
votes

I am exploring a possibility to implement Managed Identities for REST API hosted in Azure App Service. This Api consumes multiple third party APIs which are outside our control and secured by AAD.

Currently, we store AAD ApplicationId / Secret in the configuration. Whenever we need to consume any of the third party API, we follow below process -

  1. Use ApplicationId & Secret to generate a Token
  2. Call third party API with the token in header
  3. During a call clientId in token is checked for authorization

Can I we use Managed Identities in this scenario? Does this require code changes for any of thes APIs? Can I be able to access ClientIds which I can onboard to third party APIs for authorization?

1
azure-active-directoryazure-web-app-serviceazure-managed-identity
How do you grant access to the ApplicationID in the third party API? You should be able to follow the same process, and instead grant permissions to the managed identity service principal.Arturo Lucatero - MSFT
We give them our clientid and they usually whitelist on their API. If I use system assigned managed identity how I will know my clientID or should I be using the user assigned managed identity.Shiju Samuel
@ArturoLucatero-MSFT Is there a way to find out the ClientId of SPN which Managed Identity is managing?Shiju Samuel
Any update this issue?Joy Wang-MSFT

1 Answers

0
votes

AFAIK, you may not be able to do that via MSI, MSI is used to let App service/Function app access other azure resources. If you enable the MSI of the web app, it will just create a service principal automatically without an AD App.

Is there a way to find out the ClientId of SPN which Managed Identity is managing?

It is possible, navigate to the Enterprise applications in Azure Active directory-> Search the name of your web app (you need to specific the Application Type filter with All Applications) -> in the Properties, you could find the Application ID, it is also called ClientID which you want.

But even though you could find it, you will not be able to generate the secret of the service principal. I think you could only do that with an AD App(App registartion).