Reputation: 13
Restrict access to a Managed Identity (belonging to a group) in App Services with EasyAuth enabled
I have a scenario with several APIM instances in front of App Service API’s using EasyAuth. Each APIM instance has a managed Identity that is member of a group. I'm looking for a way to restrict access in the API’s to this specific group (or at least the specific ObjectID of APIM).
Is this scenario supported without writing code (or using IP restrictions)?
I have tried by setting the "User assignment required?" to YES in my AD application (the API, and Azure Function) using the guidance from "Restrict your Azure AD app to a set of users": https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-enable-user-assignment. But I still have access to the API from my APIM that has a Managed Identity even though it's not given the proper assignment in the API. I was expecting this call to fail with 401.
Upvotes: 1
Views: 1484
Answers (1)
Reputation: 30903
First of all - you observe a working behavior because you (a) either explicitly assigned the managed identity a role / access to the easy auth app registration; or (b) APIM has a cached token from the time before you enable explicit assignment required for the easy auth app registration.
Generally your approach is correct. With one caveat. Authorizations based on groups will not work (today) for any service principals. This means, if you put a service principal (A) into a group (G) and you assign this group a role to another service principal (B). The first service principal (A) will still not be able to get access token for service principal (B). Any service principal (A) today must be explicitly authorized to another service principal (B). Meaning - if you set to require explicit user assignment for your service principal, then you have to explicitly assign any other service principal you want to grant access to. Anything else will fail in obtaining the access token.
Here are steps to achieve what you want in a clean environment:
- Create the Function App
- Enable Easy Auth for the function app
- Change the settings for require explicit user assignment on the service principal for that app registration (the function app)
- Do not assign any role yet on the service principal for the function app
- Enable managed Identity on APIM
- Use the managed identity in Policy by referring to the application_id for the function app easy auth registration
- Test the APIM
Result before assigning any role on the function app:
HTTP 500 ERROR:
AADSTS501051: Application 'xxx'(easy-apim) is not assigned to a role for the application 'yyy'(easyprotected-fn)
Detailed error:
Getting Managed Service Identity token for xxx-xxx-xxx audience threw exception 'System.InvalidOperationException:
Authentication failed for Active Directory Tenant: 'https://login.windows.net/yyy-aaa-bbb'
---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException:
AADSTS501051: Application 'yyy'(easy-apim) is not assigned to a role for the application 'bb'(easyprotected-fn).
Now, to let the managed identity through, you have to create an application role for your service principal (the protected API - the one that you change to explicitly require user assignment). Follow the guidance here and select "Application" for allowed member type. For example:
{
"allowedMemberTypes": [
"Application"
],
"displayName": "GrantAccessToAPIM",
"id": "aaaaaa-bbbb-cccc-dddd-feb89e6f5d47",
"isEnabled": true,
"description": "Used to explicitly gelegate access for APIM",
"value": "GrantAccessToAPIM"
}
Then you need to explicitly assign your managed identity to this role! You can do this by using the New-AzureADServiceAppRoleAssignment cmdlet.
Once you assign the managed identity a role to the protected app, you will see the success call in the APIM:
aauthentication-managed-identity (1.244 ms)
{
"message": "Obtaining managed identity token using clientId:xxx AAD Authority:https://login.windows.net/yyy for https://fndemo-test.azurewebsites.net audience succeeded.",
"errorResponse": null
}
Upvotes: 2
Related Questions
- Restrict App Registration access to a specific group
- Restrict Azure WebApp to APIM through Managed Identity?
- App Services EasyAuth for protecting API with OIDC
- Restrict access to AD application, using AD group via Azure Portal
- .NET Core Azure AD App Registration -- Allow access via groups
- Secure Azure App Service using Managed Identity (Asp.net Framework 4.7.2)
- How to restrict access of Azure App Service to only users added in user and group setting in Azure Ad?
- Limit AzureAD app access to certain users / groups
- How to lock an Azure web app down to a specific group of users
- How can I limit azure app service access to specific Google users only?