A minimal example showing how to protect an Azure app service using app registration and managed identity.
The Caller app has an endpoint, /weatherforcast, which calls the Callee's API endpoint, /weatherforcast, and returns this API response.
- Callee and Caller both require managed identity.
- Callee also requires an App Registration.
Under local environment, the Caller will make use of environment variables configured in launchSettings.json to create an EnvironmentVariableCredential.
In Azure environment, the Caller will check the value of ManagedIdentity in app settings and create a ManagedIdentityCredential with that value. Otherwise, it will try to create the token credential with system-assigned managed identity.
- net8.0
- vscode
- Azure Tools
dotnet dev-certs https --trustcd poc-callee
dotnet restore
dotnet build
dotnet run --launch-profile httpsThe app will run at https://localhost:7200.
cd poc-caller
dotnet restore
dotnet build
dotnet run --launch-profile httpsThe app will run at https://localhost:7122.
- Create a App Registration named
poc-web-callee - The Client (Application) ID will be used when setting up the Caller.
- Create an Azure Web app named
poc-web-calleer, which belongs to a newly created resource group,poc-web-caller_group. - Turn on system-assigned managed identity.
- The managed identity will be used when setting up Callee.
- Configure Environment Variables:
CalleeApi: Callee's app url e.g. https://app_name.app_region-01.azurewebsites.netDefaultScope: api://{Callee's client ID}/.default e.g.api://ecee9ced-1ac9-4657-b3be-0034a962f670/.default
- Create an Azure Web app named
poc-web-callee, which belongs to a newly created resource group,poc-web-callee_group. - Turn on system-assigned managed identity.
- Add Microsoft as the Identity Provider in Authentication settings.
- Choose App Registration
poc-web-callee Current tenant - Single tenantAllow requests from any application (Not recommended)Allow requests from specific identities- Fill in the Caller's managed identity ID
- Return 401 instead of 302
- Choose App Registration
poc-calleeshould be able to deploy and run onpoc-web-calleepoc-callershould be able to deploy and run onpoc-web-caller- invoke
GET /tokeninpoc-callershould returns an access token - invoke
GET /weatherforecastinpoc-callershould returns a list of data
Most of the steps are the same as system-assigned managed identity except the following
This can be done in Azure portal.
The managed identity created has 2 IDs:
- Client ID: Caller will use this when creating
ManagedIdentityCredential. - Object (Principal) ID: Callee will check this in Allow requests from specific identities settings
- Make sure that the system-assigned managed identity has be turned OFF
- Add the user-assigned managed identity to the app
- Set the Client ID as the
ManagedIdentityproperty in app settings. - The access token created should have
oidwith value same as the Object ID of the user-assigned managed identity.
- Add the Object ID under Allow requests from specific identities of the Authentication settings.
Add the following environment variables in launchSettings.json:
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development",
"AZURE_TENANT_ID": "<Azure Directory (Tenant) ID",
"AZURE_CLIENT_ID": "<Callee's app client ID>",
"AZURE_CLIENT_SECRET": "<Callee's app client secret>"
}- https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service?tabs=workforce-configuration
- https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration#use-a-built-in-authorization-policy
- https://learn.microsoft.com/en-us/aspnet/core/tutorials/publish-to-azure-webapp-using-vscode?view=aspnetcore-8.0
- https://stackoverflow.com/questions/76152638/aadsts500011-inserting-scope-in-azure-authentication-returns-error
- https://learn.microsoft.com/en-us/dotnet/api/azure.identity.managedidentitycredential.-ctor?view=azure-dotnet#azure-identity-managedidentitycredential-ctor(azure-identity-managedidentityid)