MicrosoftCan this policy be used with clients which are connecting via Managed Identity?
I currently use the approach described here: https://notetoself.tech/2021/04/05/calling-api-management-from-azure-function-using-managed-identities/
i.e., Managed Identities are assigned a role against the application protecting the backend API.
# Assign the managed identity access to the app role.
New-AzureADServiceAppRoleAssignment -ObjectId $managedIdentityObjectId -Id $appRoleId -PrincipalId $managedIdentityObjectId -ResourceId $serverServicePrincipalObjectId
The roles claim is then checked by validate-jwt policy:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid." require-scheme="Bearer">
<openid-config url="https://login.microsoftonline.com/{{tenantID}}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{{clientID}}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/{{tenantID}}/</issuer>
</issuers>
<required-claims>
<claim name="roles" match="any">
<value>{{roleId}}</value>
</claim>
</required-claims>
</validate-jwt>
It's not clear how the client-application-ids should work with Managed Identity.