0

We have a user managed identity that is used by a Service Fabric Cluster to authenticate to various resources from the services deployed to the cluster. One of the use cases is to request access tokens to an API that we also own and protect with an AAD Application Registration, using the following code snip, where the ResourceId parameter is the AAD Application Registration Client ID:

        AppAuthenticationResult tokenResult;

        try
        {
            tokenResult = await this.azureServiceTokenProvider.GetAuthenticationResultAsync(resourceId).ConfigureAwait(false);
        }

This has worked fine, however we recently needed to disable guest access to the AAD Application Registration by turning ON the User Assignment Required property on the associated Enterprise Application. Doing this caused the above token requests to fail with the exception:

Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":"invalid_grant","error_description":"AADSTS501051Application '<Managed Identity Client ID GUID>'() is not assigned to a role for the application '<AAD Application Registration Client ID GUID>'

We have dug through the documentation, but can't seem to find how to assign a application role to the AAD Application from the Managed Identity. How is this intended to be accomplished?

Jared275
  • 49
  • 2
  • 11
  • Possibly related to this question: https://stackoverflow.com/questions/61453645/use-azure-managed-identities-for-service-to-service-calls?rq=1 – Jared275 Apr 19 '21 at 23:12

2 Answers2

1

In your web API expose App roles as explained here.

Use the instructions in this blog to assign this app role to your managed identity.

Kalyan Krishna
  • 1,616
  • 15
  • 19
1

Now that you have configured an application to require user assignment, you need to Assign user managed identity for your AAD Application Registration.

This part does not apply to your scene, because yours is not a user, but a user managed identity (application).

So you need to create an app role whose type is Application in your AAD Application Registration.

And then grant an appRoleAssignment to a service principal (your user managed identity) using Microsoft Graph API.

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110

{
  "principalId": "principalId-value",
  "resourceId": "resourceId-value",
  "appRoleId": "appRoleId-value"
}

Details steps in my previous answer.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20