Trying to use Application ID to control access to function apps by adding a identity provider to the app, and when I do it in a logic app, pointing to the function app, and add authentication as follows it works.
"HTTP": {
"inputs": {
"authentication": {
"audience": "c0e13b97-14f1-430f-bdba-a9651502e8e4",
"type": "ManagedServiceIdentity"
},
"method": "GET",
"uri": "www.replaced.com/api/get_time"
},
"runAfter": {},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
}
},
"type": "Http"
},
So tried to set it up in API Manager so it would use its Application ID, and found the following on the MS Support site:
<authentication-managed-identity resource="AD_application_id" output-token-variable-name="msi-access-token" ignore-error="false" />
<!--Application (client) ID of your own Azure AD Application-->
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>
It seems to send something, but the problem is that it seems to be missing scope, or as the error message reads from the tracce:
authentication-managed-identity (0.081 ms)
{
“messages”: [
null,
“Getting Managed Service Identity token for AD_application_id audience threw exception ‘System.InvalidOperationException: [MSAL] Authentication failed for ClientId: 2ea6156a-a72f-4a7e-bbaa-8cb2f1002ad1 Certificate: D6E1D650CAFDC108F524C69055892889F1EEC9F1 AuthorizationUrl: https://login.windows.net/6147eb36-9fd8-4609-b472-1d18921607e3 resourceId: AD_application_id —> Microsoft.Identity.Client.MsalServiceException: AADSTS70011: The provided request must include a ‘scope’ input parameter. The provided value for the input parameter ‘scope’ is not valid. The scope AD_application_id/.default is not valid. Trace ID: ad5bd488-f5e2-45e5-8d8c-d20acf1d0c00 Correlation ID: 211218e5-be38-457c-a6ed-0a321426bfeb Timestamp: 2024-09-18 14:03:52Zrn at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)rn at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)rn at Microsoft.Identity.Client.OAuth2.OAuth2Client.d__13`1.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.OAuth2.TokenClient.d__10.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at Microsoft.Identity.Client.OAuth2.TokenClient.d__10.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.OAuth2.TokenClient.d__4.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__24.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.d__4.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.d__3.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.Utils.StopwatchService.d__4.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__11.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.d__3.MoveNext()rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Gateway.Policies.Identity.ActiveDirectory.Msal.MsalAadClient.d__12.MoveNext() in C:__w1sProxyGateway.Policies.IdentityActiveDirectoryMsalMsalAadClient.cs:line 115rn — End of inner exception stack trace —rn at Gateway.Policies.Identity.ActiveDirectory.Msal.MsalAadClient.d__12.MoveNext() in C:__w1sProxyGateway.Policies.IdentityActiveDirectoryMsalMsalAadClient.cs:line 147rn— End of stack trace from previous location where exception was thrown —rn at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()rn at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)rn at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Configuration.Models.ManagedIdentityResolver.d__16.MoveNext() in C:__w1sProxyGateway.Policies.IdentityManagedIdentityResolver.cs:line 134′.”,
“[MSAL] Authentication failed for ClientId: 2ea6156a-a72f-4a7e-bbaa-8cb2f1002ad1 Certificate: D6E1D650CAFDC108F524C69055892889F1EEC9F1 AuthorizationUrl: https://login.windows.net/6147eb36-9fd8-4609-b472-1d18921607e3 resourceId: AD_application_id”,
“AADSTS70011: The provided request must include a ‘scope’ input parameter. The provided value for the input parameter ‘scope’ is not valid. The scope AD_application_id/.default is not valid. Trace ID: ad5bd488-f5e2-45e5-8d8c-d20acf1d0c00 Correlation ID: 211218e5-be38-457c-a6ed-0a321426bfeb Timestamp: 2024-09-18 14:03:52Z”
]
}
But I have no clue where to find the scope or figure out how to set it, and can’t find any useful documentation, anyone had any luck with this?
1
You need to use client_id instead of client_id/.default in the resource of authentication-managed-identity policy.
I am using the same policy with the given value in it.
<policies>
<inbound>
<base />
<authentication-managed-identity resource="c2660*****878ea5" output-token-variable-name="msi-access-token" ignore-error="false" />
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
</set-header>
</inbound>
</policies>
I am getting expected response.
1