Azure  

Azure: Secure Web API-to-Web API Authentication with Azure Managed Identity

Introduction

In this guide, we’ll walk through setting up two Azure Web App Services (App1 and App2), enabling managed identity, configuring App2 with API exposure and role-based access, and deploying applications securely. This approach allows App1 to authenticate and access App2 securely via Azure Identity and API permissions.

Prerequisites

Before starting, ensure you have,

  • An Azure Subscription with appropriate permissions.
  • Visual Studio installed (for deployment).
  • Basic understanding of Azure Managed Identity and App Registrations.

Step 1. Creating App1 Web App Service.

  1. Navigate to Azure Portal and create a new Web App Service (App1) under your desired Resource Group.
  2. Enable System-Assigned Managed Identity.
    • Go to App1 Web App Service → Settings → Identity.
    • Enable System Identity and save changes.

System Identity

Step 2. Creating App2 Web App Service.

  1. Create a second Web App Service (App2) under the same Resource Group.
  2. Register App2 in Azure Active Directory.
    • Go to Azure AD → App Registrations → Create New App Registration.
    • Assign a valid name, configure redirect URI if needed, and register App2.

Step 3. Exposing an API in App2.

  1. Open App2 App Registration.
  2. Go to Expose an API.
  3. Under Application ID URI, click Add. A value like api://xyz1234 will be generated—save this value.

Step 4. Defining API Scope in App2.

  1. In Expose an API, click "Add a Scope".
  2. Provide.
    • Scope Name: e.g., App2.Read or App2.FullAccess.
    • Who can consent? Set Admins Only.
    • Descriptions: Enter meaningful descriptions for Admin and User consent.
    • State: Set to Enabled.
  3. Click Add Scope.

Add Scope

Step 5. Creating App Roles for App2.

  1. Navigate to App Roles under App2 App Registration.
  2. Define a new Role.
    • Display Name: Provide a meaningful name.
    • Allowed Member Types: Select Application.
    • Value and Description: Assign relevant values.
    • Enable Role and Apply Changes.

Apply Changes

Step 6. Assigning Access to App1 using IAM.

  1. Open App2 → Access Control (IAM) → Role Assignments → Add Role Assignment.
  2. Under Roles, select Contributor.
  3. Click Next.
  4. Under Members.
    • Choose "Assign access to: Managed Identity".
    • Select App1 Managed Identity.
  5. Click Review + Assign.

App1 can now securely access App2.

Assigning Access

Step 7. Setting Up Authentication for App2.

  1. Navigate to App2 → Settings → Authentication.
  2. Click "Add Identity Provider".
  3. Configure:
    • Identity Provider: Select Microsoft.
    • App Registration Type: Pick Existing App Registration.
    • Name or App ID: Select App2.
    • Client Secret Expiration: Choose a suitable value.
    • Issuer URL: Remove v2.0 if present.
    • Client Application Requirement: Prefer “Allow requests from specific client applications” (enter App1 Client ID).
    • Restrict Access: Set to Require Authentication.
    • Token Store: Enable.
  4. Click Add.

Once successfully added Identity provider, edit it, and add “Allowed Token Audiences” and add App2 ApplicationID from expose API (Step-3).

Add

Step 8. Assigning App Roles via PowerShell.

Run the following PowerShell commands.

# Parameters
$tenantId               = 'your-tenant-id'
$webAppName             = 'App1-WebAppService-Name'
$resourceGroupName      = 'App1-ResourceGroup-Name'
$serverApplicationName  = 'App2-AppRegistration-Name'
$appRoleName            = 'App2-RoleValue'

# Get Web App Managed Identity ObjectId
$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).Identity.PrincipalId

# Login to Graph API
Connect-MgGraph -TenantId $tenantId -Scopes 'Application.Read.All', 'AppRoleAssignment.ReadWrite.All'

# Get Service Principal of App2
$serverServicePrincipal         = Get-MgServicePrincipal -Filter "DisplayName eq '$serverApplicationName'"
$serverServicePrincipalObjectId = $serverServicePrincipal.Id

# Get App Role ID
$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object { $_.Value -eq $appRoleName }).Id

# Assign App Role
New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $serverServicePrincipalObjectId `
    -PrincipalId $managedIdentityObjectId `
    -ResourceId $serverServicePrincipalObjectId `
    -AppRoleId $appRoleId

These commands will add the App2 roles to the access token.

After running these commands verify whether the roles are assigned correctly or not in enterprise applications.

Applicaion

Then we need to wait for 24 hours to reflect on these changes. Because Azure will take some time to apply the managed identity changes to all services in the subscription.

Reference: https://learn.microsoft.com/en-us/answers/questions/1499652/how-long-takes-to-update-all-azure-components-to-b

Meantime, we can also monitor these changes in audit logs.

Changes

After 24hrs

Step 9. Deploying App1 and App2.

  1. Develop two applications in Visual Studio.
  2. Deploy App1 and App2 to their respective Azure App Services.

Step 10. Configuring API Calls in App1.

Install required NuGet packages.

  • Microsoft.Identity.Client
  • Azure.Identity

Modify appsettings.json

"CommonApi": {

  "BaseUrl": "https://app2/WeatherForecast",

  "AppId": "your-app2-client-id"

}

Add authentication code.

try
{
    var credential = new DefaultAzureCredential();
    var scopes = new string[] { $"api://{_commonApiAppId}/.default" };

    var accessTokenResult = await credential.GetTokenAsync(new TokenRequestContext(scopes));
    string accessToken = accessTokenResult.Token;

    _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

    HttpResponseMessage response = await _httpClient.GetAsync($"{_commonApiBaseUrl}");

    if (response.IsSuccessStatusCode)
    {
        return await response.Content.ReadAsStringAsync();
    }
}
catch (Exception ex)
{
    Console.WriteLine(ex.Message);
}

Verify whether the generated token contains roles claim value or not by decoding it using https://jwt.io/

Token

If you can’t find the roles, pls. repeat the steps carefully again.

Step 11. Setting Up JWT Authentication in App2.

Install

  • Microsoft.AspNetCore.Authentication.JwtBearer
  • Microsoft.Identity.Web

Modify appsettings.json in App2.

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "TenantId": "your-tenant-id",
  "ClientId": "your-app2-client-id",
  "Audience": "api://your-app2-client-id"
}

Conclusion

By following these steps, we’ve successfully configured App1 to authenticate using Azure Managed Identity, access App2’s API securely, and implement role-based access control using Azure AD App Roles.

This setup ensures secure inter-application communication while leveraging the Azure Identity Platform for authorization.

Membership not found