Azure web app: Remove client secrets from app registration and use Managed Identity?

Question

(Our environment is Azure and we have our services hosted in Azure App Service.)

We have a legacy React app hosted inside a MVC .Net Core web app.

All the web app is doing is once it grabs the access token (we are using the Microsoft.Identity.Web package) we pass that down to the react app.

They web app (app hosting the react) and the api has MI setup using User Assigned Identity.

Our program.cs roughly looks like:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(new string[] {"api://{Guid API}/Users.ReadWrite.All"})
.AddInMemoryTokenCaches();

Then the home controller acquires the access token to pass to our React app:

The React app then calls another API (we own). API uses this token to check against our db for roles and determine which pages to display or not display certain parts of the app.

We have been using Client Credential Flow (client id, client secret.. etc) to get access tokens and it's been working fine. But we are now told by MS security team to get rid of all client secrets and certs, and instead, use Managed Identity.

• Guidance we've been given was to use Federated Credentials (User Assigned Identity)

Any thoughts?

I feel like I'm piecing together to complete a puzzle. I wanted to just level set and ask the fine folks here to get some ideas.

I'm thinking of Public client flow (PKCE) if MI is not available.

Thanks in advance!

Answer 1

Managed Identities can only replace one scenario: where you use client ID + client secret/certificate to get an access token with application permissions within the same tenant where your Azure resources are in.

GetAccessTokenForUserAsync is not possible to replace as this is using delegated permissions (ForUser) and includes user information.