Reputation: 49
How to explicitly grant access from a User Managed Identity to a AAD application registration?
We have a user managed identity that is used by a Service Fabric Cluster to authenticate to various resources from the services deployed to the cluster. One of the use cases is to request access tokens to an API that we also own and protect with an AAD Application Registration, using the following code snip, where the ResourceId parameter is the AAD Application Registration Client ID:
AppAuthenticationResult tokenResult;
try
{
tokenResult = await this.azureServiceTokenProvider.GetAuthenticationResultAsync(resourceId).ConfigureAwait(false);
}
This has worked fine, however we recently needed to disable guest access to the AAD Application Registration by turning ON the User Assignment Required property on the associated Enterprise Application. Doing this caused the above token requests to fail with the exception:
Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":"invalid_grant","error_description":"AADSTS501051Application '<Managed Identity Client ID GUID>'() is not assigned to a role for the application '<AAD Application Registration Client ID GUID>'
We have dug through the documentation, but can't seem to find how to assign a application role to the AAD Application from the Managed Identity. How is this intended to be accomplished?
Upvotes: 0
Views: 484
Answers (2)
Reputation: 16498
Now that you have configured an application to require user assignment, you need to Assign user managed identity for your AAD Application Registration.
This part does not apply to your scene, because yours is not a user, but a user managed identity (application).
So you need to create an app role whose type is Application in your AAD Application Registration.
And then grant an appRoleAssignment to a service principal (your user managed identity) using Microsoft Graph API.
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value",
"resourceId": "resourceId-value",
"appRoleId": "appRoleId-value"
}
Details steps in my previous answer.
Upvotes: 1
Reputation: 1714
In your web API expose App roles as explained here.
Use the instructions in this blog to assign this app role to your managed identity.
Upvotes: 1
Related Questions
- Cannot find a User Assigned Managed Identities in AAD's enterprise applications
- Can't use "az" to grant permissions to an app in Azure AD; getting a 403
- How to deploy a managed application with an identity having permissions within the managed resource group?
- What permissions are needed in Azure to grant access to a managed identity for calling a custom api
- Obtaining access token when User Assigned Identity is enabled
- What permission do I need to assign managed identities to app roles?
- I'm having problems authenticating with Managed Service Identity to an Azure App Service secured with AAD
- How to grant subscription access to an azure registered application?
- How do I grant application access to new user accounts using Azure Active Directory?
- AAD Application Permission issue