I have 2 Azure AD applications say Client-App and Server-App in Azure AD App registrations.
Server AD Application:
- Registered a new App in Azure AD.
- Set up App Roles with name "Search.Address" which is custom role.
Client AD Application:
- Registered a new App in Azure AD.
- API Permissions: Added the role "Search.Address" created in
server-appregistration is exposed as an Application Permissions inclient app. - Granted Admin access successfully.
I have client Function App created with .NET stack and enabled system managed identity which is associated with Client-App. Client function app runs code to get an access token using ManagedIdentityCredential.
Token is successfully created but role "Search.Address" is missing.
I tried Client-App exposing as an API. But in no vain.
Does Managed identity have any permission to talk to server? How I can assign that using approleassignment ?
public static class Function1
{
[FunctionName("Function1")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string name = req.Query["name"];
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
name = name ?? data?.name;
string responseMessage = string.Empty;
try
{
var credential = new ManagedIdentityCredential();
var accessToken = await credential.GetTokenAsync(new TokenRequestContext(scopes: new string[] { "SERVERAPP_ClientID/.default" }) { });
responseMessage = string.IsNullOrEmpty(name)
? "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."
: $"Hello, {name}. Your Token: {accessToken.Token}";
}
catch (Exception ex)
{
log.LogError(ex.Message+ex.InnerException.Message);
}
return new OkObjectResult(responseMessage);
}
}
Reference:
