Azure Function - Get Token from DefaultCredentials \ Managed Identity

Question

I am working with an Azure Function that needs to authenticate into an API /APP Service with using JWT.

I have been looking around a LOT of examples and settled on this as being the most appropriate

public string GenerateToken()
{
    var credential = new Azure.Identity.DefaultAzureCredential();
    var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://management.azure.com/" }));
    return token.Token;
}

Example born from here https://learn.microsoft.com/en-us/dotnet/api/azure.core.tokencredential?view=azure-dotnet

I have also tried to use this https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-c

Looking here, this is similar to my issue, but because its not using Managed Identity the company I am working for say this is a no go. Create azure bearer token from azure function

I believe the problem is the scope, but I cannot find the right scope to get into my app service.

I have also tried api:// , the resource url and more

Any and all help gratefully received.

Answer 1

Azure AD allows you to use .default as your scope to retrieve all access a principal has been granted.

In your case you can go by api://<commonly-api-client-id-uuid>/.default This will retrieve a token with all the roles the managed identity principal of your azure function has been granted on the target API/App