How to Authenticate Azure APIM API using azure managed identity

If you are exposing azure APIM api then it must be secure.

If the api is meant to be used by another azure service, then securing/authorization it using managed identity is the easiest solution to comply with security standards.

In the below example, I have some API operations in an APIM api and want to hit those endpoints from azure data factory linked service.

In your case, the consumer application can be some other azure servcie like,function, logic app etc.

Let’s see how we can do it.

Step 1: Add Authorization policy in your apim

In your apim API, at all operation level, add below XMl for validating authorization header:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="@((string)context.LastError.Message)" require-scheme="Bearer">
            <openid-config url="https://login.microsoftonline.com/{{tenantId}}/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>https://management.core.usgovcloudapi.net</value>
                </claim>
            </required-claims>
        </validate-jwt>
        <set-header id="apim-generated-policy" name="Authorization" exists-action="delete" />

Your all operation policy should look like below:

Here https://management.core.usgovcloudapi.net is claim name in case of US gov cloud. You can use https://management.azure.com/ in commercial azure cloud (portal.azure.com).

In https://login.microsoftonline.com/{{tenantId}}/.well-known/openid-configuration, {{tenantId}} is azure tenant id named value. You can hardcode your url with tenant id as well since tenant id seldom changes.

Here we added policy at all operation since i wanted to secure all operations under that api using same managed identity.

Step2: Change Authentication type in data factory linked service

Change authentication type to managed identity in your linked service in data factory and select same url in AAD resource and save.

Step 3: Test your service

Now test your copy activity where this linked service was used. You should see the response form your apim api.

Hope it would be helpful.

Please let me know in case you face any difficulty in setting it up.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: