Is it possible to assign a system managed identity to an Azure AD Enterprise Application that requires user assignment?

1
votes

I have an Azure Function app that uses the integrated Azure AD Authentication configured via the Azure portal.

Via the "Express" mode setup, this creates an Azure App Registration along with Enterprise Application.

By default, this Enterprise Application accepts all users. So that means all users in the tenant can trigger the protected Azure Functions, which is not what I wanted.

My goal is to allow certain users and certain Azure resources in the tenant which have Managed Identities, such as an App Service, to trigger the function.

So I go to the Enterprise Application settings of the Azure Function app, changed its properties to "User Assignment Required". Then under Users/Groups, I can add users/groups that are allowed to authenticate.

Here I found out that I can only add regular AAD users. The managed identity service principals (i.e., the system assigned managed identity principals for my App Service) do not show up on the list.

I have not tried user-assigned managed identities. But I prefer using system-assigned managed identities.

Is this a supported scenario?

2
azure-active-directoryazure-functionsazure-managed-identityazure-authentication

2 Answers

3
votes

Yes, you can, but to add the MSI(essentially a service principal) to the Users and groups of an enterprise application, it is different from adding a user/group, you need to leverage the azure ad app role.

Please follow the steps below.

1.Navigate to Azure Active Directory in the portal -> App registrations -> search for your function app name with the filter All applications -> click it -> App roles | Preview -> Create app role -> create the role like below -> Apply.

enter image description here

2.Use the powershell below to give the app role to your MSI(managed identity), replace the <appservice-name> and <functionapp-name>.

Make sure you have installed the AzureAD powershell module and have enough permission to assign the app role(this step is unavailable in azure portal).

Connect-AzureAD
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '<appservice-name>'"
$funapp = Get-AzureADServicePrincipal -Filter "displayName eq '<functionapp-name>'"
$PermissionName = "Function.Test"
$approle = $funapp.AppRoles | Where-Object {$_.Value -eq $PermissionName}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $funapp.ObjectId -Id $approle.Id

enter image description here

After doing the steps above, navigate to the Users and groups, you will find the MSI is added to it.

In this case, you also have another way, just create a security group in AAD and add the MSI service principal as a member to it, then add the group to the Users and groups, then the MSI will also be able to call the function.

So in conclusion, you have two solutions, you could choose the preferred way.

  1. Leverage the App role

  2. Leverage the AAD Group

To call the function successfully, also make sure you set the function with Anonymous.

Navigate to the httptrigger in your function app, set the Authorization level to Anonymous, because we have configured AAD auth.

enter image description here

1
votes

I went through a similar problem solving session with Azure support a few months ago.

The conclusion was:

  • you can assign Users and Groups to the Service Principal/Enterprise Application, but not a Managed Identity
  • from what I remember you cannot assign Groups when on a free AAD plan
  • if you can assign Groups, adding the Managed Identity to the Group may work (never tried it myself)