Azure API Management + Azure Function and managed identity

Question

I'm trying to call an Azure function from an API Management instance by using Managed Identity. I have set a System Managed Identity to my APIM instance. I have granted the Contributor role to this identity on the Azure Function App. I have also change the App Service Authentication to AD.

Now I'm trying to call the function from an API.

I have two issues:

First One: when I use the authentication-managed-identity policy to get a token, I got an error when I use the audience https://myfunctionapp.azurewebsites.net. AD tells me that this app is not registered in the tenant
Second: If I retrieve a token for https://management.azure.com, I got a token but I received a 401 Unauthorized error from the Azure Function.

Maybe I'm just trying to get a token on the wrong audience, but unfortunately the audience of functions is not listed in the document (for service bus for example, there is a common URI to use, also for KeyVault, ...).

I think that I probably missed something in the picture... Thanks.

Thiago Custodio Thiago Custodio · Accepted Answer · 2020-01-15T20:19:31

You need to use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service.

https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity

EDIT

1-In your APIM application on Azure AD, grab the Application ID assigned for enterprise application.

2-Then go to Platform features in your Azure Function App, and click on Authentication / Authorization.

3-Select Azure Active Directory as the authentication provider, and the management mode "express".

4-Back to authentication-managed-identity policy, set the Application ID from step 1 as the resource.

Azure API Management + Azure Function and managed identity

2 Answers